Configure OpenLDAP with TLS=required
Nowadays, OpenLDAP needs to be configured with ldapmodify cn=config, as describe here. But nowhere I can find how you configure it to only accept TLS traffic. I just confirmed that our server accepts unencrypted traffic (with ldapsearch and tcpdump).
Normally, I would just close the non-SSL port with IP tables, but using the SSL port is deprecated, apparently, so I don't have that option.
So, with the SSL configuration commands, like this:
dn: cn=config
changetype:modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/bla.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/bla.crt
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/ca.pem
Is there a param for forcing TLS?
Edit: I tried the olcTLSCipherSuite, but it doesn't work. Debug output:
TLS: could not set cipher list TLSv1+RSA:!NULL.
main: TLS init def ctx failed: -1
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
Edit2 (almost fixed): I was able to fix it by loading:
# cat force-ssl.tx
dn: cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1
But then commands like
ldapmodify -v -Y EXTERNAL -H ldapi:/// -f /etc/ssl/tls-required.ldif
Don't work anymore... And changing it to:
ldapmodify -v -x -D "cn=admin,dc=domain,dc=com" -H ldap://ldap.bla.tld/ -ZZ -W -f force-ssl.txt
gives me "ldap_bind: Invalid credentials (49)". Apparently, even though this binddn is specified as rootdn, I can't use it to alter cn=config
. Can that be changed?
I seemed to have gotten it:
I did this:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1
And that seems to have the desired effect. I can still run commands like:
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
But trying to bind with "ldapsearch -xLLL -b ...
" without SSL says: "TLS confidentiality required"
This is achieved with the TLSCipherSuite option. An example is documented at LDAP security chapter of the OpenLDAP Zytrax book. With it you can tell OpenLDAP the cipher suites that your server will accept. For example, you can tell that you don't want a NULL
cipher suite (ie: non encrypted session).
Be careful though that OpenLDAP can be linked against OpenSSL or GnuTLS libraries. Those use different cipher lists to describe their encryption support. The OpenSSL cipher list can be obtained with a command like openssl ciphers -v
and the GnuTLS list with gnutls-cli -l
.
The simplest way to disable connecting without encryption would then be:
dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: ALL:!NULL
A more specific restriction using GnuTLS syntax:
dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: TLS_RSA_CAMELLIA_128_CBC_SHA1:TLS_RSA_CAMELLIA_256_CBC_SHA1:!NULL
A more complete example might be (using OpenSSL syntax):
dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:@STRENGTH:+SHA:+MD5:!NULL
There's an OpenLDAP mailing list discussion worth reading about a similar question.
It's also worth noting that the OpenLDAP cli tools, like ldapsearch
, are automatically switching to using TLS when connecting to a server forbidding the unencrypted connections. That means that you do not need to add -Z
to the args list.