16

Nowadays, OpenLDAP needs to be configured with ldapmodify cn=config, as describe here. But nowhere I can find how you configure it to only accept TLS traffic. I just confirmed that our server accepts unencrypted traffic (with ldapsearch and tcpdump).

Normally, I would just close the non-SSL port with IP tables, but using the SSL port is deprecated, apparently, so I don't have that option.

So, with the SSL configuration commands, like this:

dn: cn=config
changetype:modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/bla.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/bla.crt
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/ca.pem

Is there a param for forcing TLS?

Edit: I tried the olcTLSCipherSuite, but it doesn't work. Debug output:

TLS: could not set cipher list TLSv1+RSA:!NULL.
main: TLS init def ctx failed: -1
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.

Edit2 (almost fixed): I was able to fix it by loading:

# cat force-ssl.tx 
dn: cn=config
changetype:  modify
add: olcSecurity
olcSecurity: tls=1

But then commands like

ldapmodify -v -Y EXTERNAL -H ldapi:/// -f /etc/ssl/tls-required.ldif

Don't work anymore... And changing it to:

ldapmodify -v -x -D "cn=admin,dc=domain,dc=com" -H ldap://ldap.bla.tld/ -ZZ -W -f force-ssl.txt

gives me "ldap_bind: Invalid credentials (49)". Apparently, even though this binddn is specified as rootdn, I can't use it to alter cn=config. Can that be changed?

Halfgaar
  • 7,921
  • 5
  • 42
  • 81

2 Answers2

17

I seemed to have gotten it:

I did this:

dn: olcDatabase={1}hdb,cn=config
changetype:  modify
add: olcSecurity
olcSecurity: tls=1

And that seems to have the desired effect. I can still run commands like:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config

But trying to bind with "ldapsearch -xLLL -b ..." without SSL says: "TLS confidentiality required"

Halfgaar
  • 7,921
  • 5
  • 42
  • 81
  • 2
    +1 it seems to work great. Unfortunately if the client tries to authenticate without STARTTLS it sends the password in plaintext, and then the server responds with the `TLS confidentiality required` message. – Carlos Campderrós May 06 '13 at 14:55
  • 1
    I posted that on the OpenLDAP mailing list as a possible security issue. I gave the example of FTP, which blocks as soon as you give USER. But, I was overruled. [See this.](http://www.openldap.org/lists/openldap-technical/201212/msg00221.html) – Halfgaar May 07 '13 at 07:14
  • funny, I looked at that thread before I found this answer :) – Carlos Campderrós May 07 '13 at 07:20
  • 1
    Thanks, just what I was looking for. The password going over the wire in cleartext is going to be implementation specific on the client-side software. TLS requirement can be tested with anonymous bind first before trying to bind as the user. – Server Fault Apr 24 '15 at 19:43
3

This is achieved with the TLSCipherSuite option. An example is documented at LDAP security chapter of the OpenLDAP Zytrax book. With it you can tell OpenLDAP the cipher suites that your server will accept. For example, you can tell that you don't want a NULL cipher suite (ie: non encrypted session).

Be careful though that OpenLDAP can be linked against OpenSSL or GnuTLS libraries. Those use different cipher lists to describe their encryption support. The OpenSSL cipher list can be obtained with a command like openssl ciphers -v and the GnuTLS list with gnutls-cli -l.

The simplest way to disable connecting without encryption would then be:

dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: ALL:!NULL

A more specific restriction using GnuTLS syntax:

dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: TLS_RSA_CAMELLIA_128_CBC_SHA1:TLS_RSA_CAMELLIA_256_CBC_SHA1:!NULL

A more complete example might be (using OpenSSL syntax):

dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:@STRENGTH:+SHA:+MD5:!NULL

There's an OpenLDAP mailing list discussion worth reading about a similar question.

It's also worth noting that the OpenLDAP cli tools, like ldapsearch, are automatically switching to using TLS when connecting to a server forbidding the unencrypted connections. That means that you do not need to add -Z to the args list.

Læti
  • 2,075
  • 21
  • 33
  • I tried it. It didn't work. I edited my question to reflect it. – Halfgaar Dec 21 '12 at 13:54
  • I think the error you report is related to the ciphers your TLS implementation knows about. OpenLDAP can be compiled with OpenSSL or gnuTLS libraries. The example I gave used OpenSSL syntax, your implementation is probably using gnuTLS. I'd suggestion you try a simplified CipherSuite, for example `ALL:!NULL` – Læti Dec 21 '12 at 18:04
  • "WARNING: Don’t be clever and change the TLSCipherSuite to something clever like HIGH:MEDIUM:-SSLv2 – this is an openssl directive" - read http://rogermoffatt.com/2011/08/24/ubuntu-openldap-with-ssltls/ . – Xdg Jan 02 '16 at 13:55