Nowadays, OpenLDAP needs to be configured with ldapmodify cn=config, as describe here. But nowhere I can find how you configure it to only accept TLS traffic. I just confirmed that our server accepts unencrypted traffic (with ldapsearch and tcpdump).
Normally, I would just close the non-SSL port with IP tables, but using the SSL port is deprecated, apparently, so I don't have that option.
So, with the SSL configuration commands, like this:
dn: cn=config
changetype:modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/bla.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/bla.crt
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/ca.pem
Is there a param for forcing TLS?
Edit: I tried the olcTLSCipherSuite, but it doesn't work. Debug output:
TLS: could not set cipher list TLSv1+RSA:!NULL.
main: TLS init def ctx failed: -1
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
Edit2 (almost fixed): I was able to fix it by loading:
# cat force-ssl.tx
dn: cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1
But then commands like
ldapmodify -v -Y EXTERNAL -H ldapi:/// -f /etc/ssl/tls-required.ldif
Don't work anymore… And changing it to:
ldapmodify -v -x -D "cn=admin,dc=domain,dc=com" -H ldap://ldap.bla.tld/ -ZZ -W -f force-ssl.txt
gives me "ldap_bind: Invalid credentials (49)". Apparently, even though this binddn is specified as rootdn, I can't use it to alter cn=config. Can that be changed?
Best Answer
I seemed to have gotten it:
I did this:
And that seems to have the desired effect. I can still run commands like:
But trying to bind with "
ldapsearch -xLLL -b ..." without SSL says: "TLS confidentiality required"