slapd with STARTTLS only doesn't work

Question

I'm using slapd under Debian/Squeeze and trying to configure the system to only allow TLS-encrypted connections using STARTTLS on port 389.

So I've configured my /etc/default/slapd to listen on port 389:

SLAPD_SERVICES="ldap://:389/"

I generated a certificate and enabled TLS by adding the following entries to /etc/ldap/slap.d/cn=config.ldif

olcTLSCertificateFile: /etc/ssl/openldap/ca-cert.pem
olcTLSCertificateKeyFile: /etc/ssl/openldap/ca-key.pem

And finally I added an /etc/ldap/slapd.conf with the following content:

security tls=256

With that configuration I'm able to run TLS-encrypted connections using:

ldapsearch -ZZ -H ldap://127.0.0.1:389 -D "cn=admin,dc=example,dc=net" -w "password"

But beside that unencrypted connections are still working using:

ldapsearch -H ldap://127.0.0.1:389 -D "cn=admin,dc=example,dc=net" -w "password"

From my point of view it seems that the security directive in /etc/ldap/slapd.conf isn't used at all. Also when I try to convert the slapd.conf to the cn=config configuration format, I can clearly see, that the security directive isn't included in the resulting cn=config configuration files.

Does somebody know what's going on there and how to change the configuration to forbid unencrypted connections?

Answer 1

You have declared that all tls connections must have a strength of 256.
You have not declared anything about other types of connections.

Perhaps you wanted security minssf=256?

man slapd.conf sections sasl-secprops and security for more information.

Answer 2

I figured out that the problem has been, that I've been cn=config-style configuration format (I've been aware of that), but I thought /etc/ldap/slapd.conf would be used too. With the additional entry olcSecurity: tls=128 in /etc/ldap/slapd.d/cn=config.ldif everything works like expected.