OpenLDAP, howto allow both secure (TLS) and unsecure (normal) connections?

Posted by Mikael Roos on Server Fault See other posts from Server Fault or by Mikael Roos
Published on 2010-06-10T11:10:03Z Indexed on 2010/06/10 11:13 UTC
Read the original article Hit count: 529

Filed under:
|
|
|

Installed OpenLDAP 2.4 on FreeBSD 8.1. It works for ordinary connections OR for TLS connections. I can change it by (un)commenting the following lines in slapd.conf.

# Enable TLS
#security ssf=128 

# Disable TLS
security ssf=0

Is there a way to allow the clients to connect using TLS OR no-TLS? Can the ldap-server be configured to support both TLS connections and no-TLS connections?

Tried to find the information in the manual, but failed:
http://www.openldap.org/doc/admin24/access-control.html#Granting%20and%20Denying%20access%20based%20on%20security%20strength%20factors%20(ssf)
http://www.openldap.org/doc/admin24/tls.html#Server%20Configuration

Tried to read up on 'security' in manualpage for ldap.conf, didn't find the info there either.

I guess I need to configure the 'secure' with some negotiation mechanism, "try to use TLS if client has it, otherwise continue using no-TLS".

Connecting with a client (when slapd.conf is configure to use TLS):

gm# ldapsearch  -x -b '' -s base '(objectclass=*)' namingContexts
ldap_bind: Confidentiality required (13)
        additional info: TLS confidentiality required

gm# ldapsearch -Z -x -b '' -s base '(objectclass=*)' namingContexts
(this works, -Z makes a TLS connection)

So, can I have my ldap-server supporting client connections using TLS and ordinary (no-TLS) connections?

Thanx in advance.

© Server Fault or respective owner

Related posts about ldap

Related posts about freebsd