I'm using slapd under Debian/Squeeze and trying to configure the system to only allow TLS-encrypted connections using STARTTLS on port 389.
So I've configured my /etc/default/slapd to listen on port 389:
SLAPD_SERVICES="ldap://:389/"
I generated a certificate and enabled TLS by adding the following entries to /etc/ldap/slap.d/cn=config.ldif
olcTLSCertificateFile: /etc/ssl/openldap/ca-cert.pem
olcTLSCertificateKeyFile: /etc/ssl/openldap/ca-key.pem
And finally I added an /etc/ldap/slapd.conf with the following content:
security tls=256
With that configuration I'm able to run TLS-encrypted connections using:
ldapsearch -ZZ -H ldap://127.0.0.1:389 -D "cn=admin,dc=example,dc=net" -w "password"
But beside that unencrypted connections are still working using:
ldapsearch -H ldap://127.0.0.1:389 -D "cn=admin,dc=example,dc=net" -w "password"
From my point of view it seems that the security directive in /etc/ldap/slapd.conf isn't used at all. Also when I try to convert the slapd.conf to the cn=config configuration format, I can clearly see, that the security directive isn't included in the resulting cn=config configuration files.
Does somebody know what's going on there and how to change the configuration to forbid unencrypted connections?