How to Enforce TLS-Only Connections in OpenLDAP Server Configuration


11 views

Modern OpenLDAP deployments should mandate encrypted connections, yet many administrators discover their servers still accept plaintext traffic. The root issue lies in OpenLDAP's dual-port legacy approach (389/tcp for LDAP and 636/tcp for LDAPS). Here's how to properly enforce TLS at the configuration level.

First, verify your current TLS setup with:

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep -i tls

The critical configuration requires two LDIF modifications. First, the security policy:

# tls-policy.ldif
dn: cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

Ensure proper certificate references (adjust paths as needed):

# certs.ldif 
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap.crt
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca.pem

For initial configuration (before enforcing TLS):

ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
ldapmodify -Y EXTERNAL -H ldapi:/// -f tls-policy.ldif

After enabling TLS enforcement, all modifications must use secure channels. For subsequent changes:

ldapmodify -x -D "cn=admin,dc=example,dc=com" \
  -H ldaps://ldap.example.com -W -f changes.ldif

If encountering cipher errors, specify modern cipher suites:

# cipher.ldif
dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK

Verify TLS enforcement with:

ldapsearch -x -H ldap://server:389 -s base -b "" -LLL

Should return ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) if properly configured.

When securing OpenLDAP servers, administrators often need to enforce TLS encryption for all connections. The traditional approach of disabling the non-SSL port (636) is no longer recommended as it's considered deprecated. Through recent troubleshooting, I've identified a reliable method to enforce TLS at the configuration level.

Before enforcing TLS, ensure these base configurations are in place:

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap.crt
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca.pem

The critical parameter for enforcing TLS is olcSecurity. Create a modification file (force-tls.ldif) with:

dn: cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1

Apply this configuration using:

ldapmodify -Y EXTERNAL -H ldapi:/// -f force-tls.ldif

After enabling TLS enforcement, you'll encounter authentication challenges for configuration changes. The solution involves:

  1. Using SASL/EXTERNAL mechanism for local modifications:
    2. ldapmodify -Y EXTERNAL -H ldapi:/// -f changes.ldif
  2. For remote administration with StartTLS:
    3. ldapmodify -x -D "cn=admin,dc=example,dc=com" -H ldap://ldap.example.com -ZZ -W

Cipher Suite Errors: If you encounter cipher errors, specify a modern cipher suite:

dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:!aNULL:!eNULL:!3DES

Credential Problems: Ensure your admin DN has proper access rights in olcAccess rules.

Confirm TLS enforcement is working:

# Should fail without TLS
ldapsearch -x -H ldap://localhost -b "dc=example,dc=com"

# Should succeed with StartTLS
ldapsearch -x -H ldap://localhost -ZZ -b "dc=example,dc=com"

# Check TLS settings
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcSecurity

While not recommended as primary security, you can combine TLS enforcement with port restrictions:

iptables -A INPUT -p tcp --dport 389 -j DROP
iptables -A INPUT -p tcp --dport 636 -j ACCEPT