I would like to enable Secure LDAP authentication on my CentOS 7.2 Samba server… however I am getting stuck setting up TLS on the LDAP server itself.
EDIT: [ I installed openldap from the default repositories ]
I am currently following the tutorial here but instead of entering settings manually into the configuration files, I am trying to do it the "proper" way and use ldapmodify. It took me a while to understand how to use the tool, but I have finally mastered that part. I get stuck however on the following.
Command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f TLS.conifg -v
using the above command to install the following LDIF file I get the below error.
TLS.config:
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: HIGH
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/file.server.org.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/file.server.org.key.pem
Error:
Entry (olcDatabase={2}hdb,cn=config), attribute 'olcTLSCipherSuite' not allowed
EDIT2: [ I have both openSSL and gnuTLS installed so I fulfill the requirements for TLS as specified by the openLDAP documentation found here ]
EDIT3: [ I have my Certificates in the correct folder with what I can only guess to be the correct permissions as shown below.
]
EDIT4: Resolution
As mentioned by 84104 below, the olcTLS configuration directives are addressed in the cn=config file and not in the database definitions themselves.
I have succeeded in configuring the TLS directives and have moved on to creating my entries.
Thank your help!
Best Answer
The
olcTLS*attributes are applied tocn=config, the general server config, not any specific database, e.g.olcDatabase={2}hdb,cn=config.