Symas OpenLDAP Knowledge Base

TLS

Eliminating SSL usage in favor of TLS

https://confluence.symas.com/display/OK/%5BDRAFT%5D+Configuring+Secure+Communications

Good TLS Demonstration

https://confluence.symas.com/display/OK/Symas+OpenLDAP+Installation+Configuration+Example#SymasOpenLDAPInstallationConfigurationExample-TLSconfiguration

SSF (Security Strength Factors)

http://www.openldap.org/doc/admin24/security.html#Security%20Strength%20Factors

Admin Guide TLS Section

http://www.openldap.org/doc/admin24/tls.html

Force OpenLDAP to use TLS 1.0+ rather than SSL v2,3

In global section of SLAPD.conf add the following:

TLSProtocolMin 3.1

TLS Information

TLS is also SSL

Securing a socket was a Netscape requirement. They called it SSL. Then came SSL v2, SSL v3.

Then it switched to TLS 1.0 (aka SSL 3.0). Then TLS v1.1 and TLS v1.2 followed.

We use ldap and ldaps are in the symas-openldap.conf file.

HOST_LIST=“ldap:///”

SSL v3.0 is long dead but people still talk about SSL.

The rename from SSL to TLS was a vast error that confused the whole planet.

STARTTLS

StartTLS works over 389

StartTLS is a protocol on top of another protocol

StartTLS is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication.