3

We have an openldap server and don't want to allow unencrypted communication, so acceptable is either tls over port 389 (starttls) or ssl over 636 (ldaps).

As we use slapd.conf for configuration, olcSecurity isn't an option.

TLSCipherSuite seems to be the way to do it with slapd.conf. But when using that slapd either doesn't start or ignores the settings (i.e. accepts unencrypted requests).

slapd doesn't start (error: TLS init def ctx failed: -1) when using:

- TLSCipherSuite ALL
- TLSCipherSuite Default
- TLSCipherSuite ALL:!NULL
- TLSCipherSuite ALL:!aNULL
- TLSCipherSuite AES256-SHA #one of the ciphers offered by openssl

slapd starts but accepts unencrypted requests when using:

- TLSCipherSuite NORMAL
- TLSCipherSuite NORMAL:!NULL #would be acceptable
- TLSCipherSuite !NULL #would be acceptable

We test with

ldapsearch -L -x -W -h [SERVER] -D [USER] - b [SEARCHBASE] uid=[USER]

(unencrypted)

and

ldapsearch -L -x -W -ZZ -h [SERVER] -D [USER] - b [SEARCHBASE] uid=[USER]

(encrypted)

The os openldap is running on is debian 8.7. The openldap version seems to be using gnutls, not openssl, so that may be the reason for the problems.

But the last three TLSCipherSuite variations seem to be valid syntax, at least slapd starts without errors. Why doesn't !NULL prevent slapd from accepting unencrypted requests? The last two (use any cipher available but don't allow no cipher) would be acceptable.

Are additional settings / parameters required?

Note that we tried the suggestions given here (as described above) but that didn't work.

Community
  • 1
blockbax
  • 33
  • 1
  • 5

2 Answers2

1

Stop using slapd.conf, but that's just general advice. Most if not all olc* directives from slapd-config are available as non-olc directives for a slapd.conf style configuration.

For security something on the order of security tls=1 should be sufficient unless you also do non-TLS SASL.

Your manipulations of TLSCipherSuite will not work because those only control the acceptable ciphers once TLS is in use, it doesn't matter in choosing whether or not to use/require TLS. For that, you'll want to use security. However, you should use better TLS options, e.g. at least TLSCipherSuite HIGH:!aNull:!MD5:@STRENGTH and olcTLSProtocolMin 3.1.

From slapd.conf(5):

security <factors>
Specify a set of security strength factors (separated by white space) to require (see sasl-secprops's minssf option for a description of security strength factors). The directive may be specified globally and/or per-database. ssf=<n> specifies the overall security strength factor. transport=<n> specifies the transport security strength factor. tls=<n> specifies the TLS security strength factor. sasl=<n> specifies the SASL security strength factor. update_ssf=<n> specifies the overall security strength factor to require for directory updates. update_transport=<n> specifies the transport security strength factor to require for directory updates. update_tls=<n> specifies the TLS security strength factor to require for directory updates. update_sasl=<n> specifies the SASL security strength factor to require for directory updates. simple_bind=<n> specifies the security strength factor required for simple username/password authentication. Note that the transport factor is measure of security provided by the underlying transport, e.g. ldapi:// (and eventually IPSEC). It is not normally used.

84104
  • 12,698
  • 6
  • 43
  • 75
0

If you must continue using slapd.conf, then this thread holds the answer you need:

From man slapd.conf

TLSVerifyClient <level>

demand | hard | true

These keywords are all equivalent, for compatibility reasons. The client certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.

In terms of cipher selection, Zytrax's LDAP for Rocket Scientists provides some hints:

# Cipher-list contains only RSA based
# authentication and key-exchange suites 
# supported by TLSv1 (and SSLv3)
TLS_CIPHER_SUITE TLSv1+RSA

# Cipher-list contains only RSA based
# authentication and key-exchange suites 
# supported by TLSv1 (and SSLv3)
# excludes EXPORT and NULL suites
TLS_CIPHER_SUITE TLSv1+RSA:!EXPORT:!NULL

# Ordered list of RSA based
# authentication and key-exchange suites
TLS_CIPHER_SUITE DES-CBC-SHA:DES-CBC3-SHA:RC4-SHA:RC4-MD5

# All ciphers excluding NULL
TLS_CIPHER_SUITE ALL:!NULL

# Default equivalent value if not defined
TLS_CIPHER_SUITE ALL

You need to change TLS_CIPHER_SUITE to TLSCipherSuite, and I suspect you might want to check what cipher names will work (from the admin guide):

Besides the individual cipher names, the specifiers HIGH, MEDIUM, LOW, EXPORT, and EXPORT40 may be helpful, along with TLSv1, SSLv3, and SSLv2.

To obtain the list of ciphers in GnuTLS use:

   `gnutls-cli -l`
Community
  • 1
iwaseatenbyagrue
  • 3,588
  • 12
  • 22