Debian – slapd with STARTTLS only doesn’t work

debianopenldapstarttlstls

I'm using slapd under Debian/Squeeze and trying to configure the system to only allow TLS-encrypted connections using STARTTLS on port 389.

So I've configured my /etc/default/slapd to listen on port 389:

SLAPD_SERVICES="ldap://:389/"

I generated a certificate and enabled TLS by adding the following entries to /etc/ldap/slap.d/cn=config.ldif

olcTLSCertificateFile: /etc/ssl/openldap/ca-cert.pem
olcTLSCertificateKeyFile: /etc/ssl/openldap/ca-key.pem

And finally I added an /etc/ldap/slapd.conf with the following content:

security tls=256

With that configuration I'm able to run TLS-encrypted connections using:

ldapsearch -ZZ -H ldap://127.0.0.1:389 -D "cn=admin,dc=example,dc=net" -w "password"

But beside that unencrypted connections are still working using:

ldapsearch -H ldap://127.0.0.1:389 -D "cn=admin,dc=example,dc=net" -w "password"

From my point of view it seems that the security directive in /etc/ldap/slapd.conf isn't used at all. Also when I try to convert the slapd.conf to the cn=config configuration format, I can clearly see, that the security directive isn't included in the resulting cn=config configuration files.

Does somebody know what's going on there and how to change the configuration to forbid unencrypted connections?

Best Answer

You have declared that all tls connections must have a strength of 256.
You have not declared anything about other types of connections.

Perhaps you wanted security minssf=256?

man slapd.conf sections sasl-secprops and security for more information.

Related Solutions

Using SSL on slapd

Check your server logs, but I believe your problem lies with olcTLSVerifyClient: demand -- This is requiring that your client present a certificate to the server to authenticate itself during the handshake, and unless you have a certificate there (which is deemed acceptable by the server) you will not be allowed to connect.

You may also want to peruse this site (or this one) which has details on OpenLDAP & TLS (SSL) -- Your configuration is a bit different than the examples I'm familiar with.

Ssl – LDAP Client Search with SSL – CentOS7

The following is taken from a working CentOS7 ldap server, and should cover the key aspects of SASL/EXTERNAL(TLS) authentication.
Minors notes:
- The server is also acting as the client in this example.
- This example makes use of ~/.ldaprc rather than /etc/openldap/ldap.conf
- This example uses olcTLSVerifyClient: verify rather than hard because the server is supporting other authentication types in addition to SASL/EXTERNAL(TLS) authentication.

slapd-config

[root@ldap ~]# ldapsearch cn=config olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> (default) with scope subtree
# filter: cn=config
# requesting: olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient 
#

# config
dn: cn=config
olcTLSCACertificateFile: /etc/pki/tls/certs/ldap.example.com_CA.crt
olcTLSCertificateFile: /etc/pki/tls/certs/ldap.example.com.crt
olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap.example.com.key
olcTLSVerifyClient: try

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

certificate key permissions

[root@ldap ~]# ls -lZ /etc/pki/tls/private/ldap.example.com.key
-rw-r-----+ root root unconfined_u:object_r:cert_t:s0  /etc/pki/tls/private/ldap.example.com.key

[root@ldap ~]# getfacl /etc/pki/tls/private/ldap.example.com.key
getfacl: Removing leading '/' from absolute path names
# file: etc/pki/tls/private/ldap.example.com.key
# owner: root
# group: root
user::rw-
user:ldap:r--
group::---
mask::r--
other::---

sasl configuration

[root@ldap ~]# cat /etc/sasl2/slapd.conf 
mech_list: external gssapi plain
pwcheck_method: saslauthd

ldap client settings

[root@ldap ~]# cat .ldaprc
URI ldapi:///
BASE cn=config
SASL_MECH external
#TLS_CACERT /etc/ssl/certs/ca-bundle.crt
TLS_CACERT /etc/pki/tls/certs/ldap.example.com_CA.crt
TLS_CERT /etc/pki/tls/certs/ldap.example.com.crt
TLS_KEY /etc/pki/tls/private/ldap.example.com.key

successful SASL/EXTERNAL(TLS) bind

[root@ldap ~]# ldapwhoami -ZZ -h ldap.example.com
SASL/EXTERNAL authentication started
SASL username: cn=ldap.example.com,<cert locality info>
SASL SSF: 0
dn:cn=ldap.example.com,<cert locality info>
[root@ldap ~]# ldapwhoami -H ldaps://ldap.example.com
SASL/EXTERNAL authentication started
SASL username: cn=ldap.example.com,<cert locality info>
SASL SSF: 0

Best Answer

Related Solutions

Using SSL on slapd

Ssl – LDAP Client Search with SSL – CentOS7

Related Topic