How to Enforce TLS-Only Connections in OpenLDAP Server Configuration


3 views

Modern OpenLDAP deployments should mandate encrypted connections, yet many administrators discover their servers still accept plaintext traffic. The root issue lies in OpenLDAP's dual-port legacy approach (389/tcp for LDAP and 636/tcp for LDAPS). Here's how to properly enforce TLS at the configuration level.

First, verify your current TLS setup with:

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep -i tls

The critical configuration requires two LDIF modifications. First, the security policy:

# tls-policy.ldif
dn: cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

Ensure proper certificate references (adjust paths as needed):

# certs.ldif 
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap.crt
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca.pem

For initial configuration (before enforcing TLS):

ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
ldapmodify -Y EXTERNAL -H ldapi:/// -f tls-policy.ldif

After enabling TLS enforcement, all modifications must use secure channels. For subsequent changes:

ldapmodify -x -D "cn=admin,dc=example,dc=com" \
  -H ldaps://ldap.example.com -W -f changes.ldif

If encountering cipher errors, specify modern cipher suites:

# cipher.ldif
dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK

Verify TLS enforcement with:

ldapsearch -x -H ldap://server:389 -s base -b "" -LLL

Should return ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) if properly configured.

When securing OpenLDAP servers, administrators often need to enforce TLS encryption for all connections. The traditional approach of disabling the non-SSL port (636) is no longer recommended as it's considered deprecated. Through recent troubleshooting, I've identified a reliable method to enforce TLS at the configuration level.

Before enforcing TLS, ensure these base configurations are in place:

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap.crt
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca.pem

The critical parameter for enforcing TLS is olcSecurity. Create a modification file (force-tls.ldif) with:

dn: cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1

Apply this configuration using:

ldapmodify -Y EXTERNAL -H ldapi:/// -f force-tls.ldif

After enabling TLS enforcement, you'll encounter authentication challenges for configuration changes. The solution involves:

  1. Using SASL/EXTERNAL mechanism for local modifications:
    2. ldapmodify -Y EXTERNAL -H ldapi:/// -f changes.ldif
  2. For remote administration with StartTLS:
    3. ldapmodify -x -D "cn=admin,dc=example,dc=com" -H ldap://ldap.example.com -ZZ -W

Cipher Suite Errors: If you encounter cipher errors, specify a modern cipher suite:

dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:!aNULL:!eNULL:!3DES

Credential Problems: Ensure your admin DN has proper access rights in olcAccess rules.

Confirm TLS enforcement is working:

# Should fail without TLS
ldapsearch -x -H ldap://localhost -b "dc=example,dc=com"

# Should succeed with StartTLS
ldapsearch -x -H ldap://localhost -ZZ -b "dc=example,dc=com"

# Check TLS settings
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcSecurity

While not recommended as primary security, you can combine TLS enforcement with port restrictions:

iptables -A INPUT -p tcp --dport 389 -j DROP
iptables -A INPUT -p tcp --dport 636 -j ACCEPT