OpenLDAP, howto allow both secure (TLS) and unsecure (normal) connections?
- by Mikael Roos
Installed OpenLDAP 2.4 on FreeBSD 8.1. It works for ordinary connections OR for TLS connections. I can change it by (un)commenting the following lines in slapd.conf.
# Enable TLS
#security ssf=128
# Disable TLS
security ssf=0
Is there a way to allow the clients to connect using TLS OR no-TLS? Can the ldap-server be configured to support both TLS connections and no-TLS connections?
Tried to find the information in the manual, but failed:
http://www.openldap.org/doc/admin24/access-control.html#Granting%20and%20Denying%20access%20based%20on%20security%20strength%20factors%20(ssf)
http://www.openldap.org/doc/admin24/tls.html#Server%20Configuration
Tried to read up on 'security' in manualpage for ldap.conf, didn't find the info there either.
I guess I need to configure the 'secure' with some negotiation mechanism, "try to use TLS if client has it, otherwise continue using no-TLS".
Connecting with a client (when slapd.conf is configure to use TLS):
gm# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
ldap_bind: Confidentiality required (13)
additional info: TLS confidentiality required
gm# ldapsearch -Z -x -b '' -s base '(objectclass=*)' namingContexts
(this works, -Z makes a TLS connection)
So, can I have my ldap-server supporting client connections using TLS and ordinary (no-TLS) connections?
Thanx in advance.