Configure OpenLDAP with TLS=required

tls ldap openldap

Nowadays, OpenLDAP needs to be configured with ldapmodify cn=config, as describe here. But nowhere I can find how you configure it to only accept TLS traffic. I just confirmed that our server accepts unencrypted traffic (with ldapsearch and tcpdump).

Normally, I would just close the non-SSL port with IP tables, but using the SSL port is deprecated, apparently, so I don't have that option.

So, with the SSL configuration commands, like this:

dn: cn=config
changetype:modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/bla.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/bla.crt
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/ca.pem

Is there a param for forcing TLS?

Edit: I tried the olcTLSCipherSuite, but it doesn't work. Debug output:

TLS: could not set cipher list TLSv1+RSA:!NULL.
main: TLS init def ctx failed: -1
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.

Edit2 (almost fixed): I was able to fix it by loading:

# cat force-ssl.tx 
dn: cn=config
changetype:  modify
add: olcSecurity
olcSecurity: tls=1

But then commands like

ldapmodify -v -Y EXTERNAL -H ldapi:/// -f /etc/ssl/tls-required.ldif

Don't work anymore... And changing it to:

ldapmodify -v -x -D "cn=admin,dc=domain,dc=com" -H ldap://ldap.bla.tld/ -ZZ -W -f force-ssl.txt

gives me "ldap_bind: Invalid credentials (49)". Apparently, even though this binddn is specified as rootdn, I can't use it to alter cn=config. Can that be changed?


I seemed to have gotten it:

I did this:

dn: olcDatabase={1}hdb,cn=config
changetype:  modify
add: olcSecurity
olcSecurity: tls=1

And that seems to have the desired effect. I can still run commands like:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config

But trying to bind with "ldapsearch -xLLL -b ..." without SSL says: "TLS confidentiality required"


This is achieved with the TLSCipherSuite option. An example is documented at LDAP security chapter of the OpenLDAP Zytrax book. With it you can tell OpenLDAP the cipher suites that your server will accept. For example, you can tell that you don't want a NULL cipher suite (ie: non encrypted session).

Be careful though that OpenLDAP can be linked against OpenSSL or GnuTLS libraries. Those use different cipher lists to describe their encryption support. The OpenSSL cipher list can be obtained with a command like openssl ciphers -v and the GnuTLS list with gnutls-cli -l.

The simplest way to disable connecting without encryption would then be:

dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: ALL:!NULL

A more specific restriction using GnuTLS syntax:

dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: TLS_RSA_CAMELLIA_128_CBC_SHA1:TLS_RSA_CAMELLIA_256_CBC_SHA1:!NULL

A more complete example might be (using OpenSSL syntax):

dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:@STRENGTH:+SHA:+MD5:!NULL

There's an OpenLDAP mailing list discussion worth reading about a similar question.

It's also worth noting that the OpenLDAP cli tools, like ldapsearch, are automatically switching to using TLS when connecting to a server forbidding the unencrypted connections. That means that you do not need to add -Z to the args list.

Related

Zeroing SSD drives
Reverse DNS in a CIDR world
How can I send visitors to the closest server using DNS?
Does fail2ban do Windows?
Physically Identify the failed hard drive
Amazon EC2 - No SSH After Reboot, Connection Refused
ZFS Data Loss Scenarios
Will disabling hyperthreading improve performance on our SQL Server install
Do I really need MS Active Directory? [closed]
Filesystem large number of files in a single directory
Why is it called DNS "Propagation"?
How do I configure Reverse Group Membership Maintenance on an openldap server? (memberOf)