Securing LDAP clients with SSL/TLS on RHEL6
Updated -
Securing LDAP clients (using openldap-2.4.40-16.el6 and/or openldap-clients (openldap-clients-2.4.40-16.el6) that uses NSS
This article is part of the Securing Applications Collection
Configuration File
/etc/openldap/ldap.conf
shortform
URI ldaps://rhel6-64.example.com/
TLS_CACERT /etc/openldap/rhel6-64.example.com.ca.pem
TLS_REQCERT demand
TLS_CIPHER_SUITE ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL
TLS_PROTOCOL_MIN 3.3
Protocols
TLS_PROTOCOL_MIN 3.3
Use TLSv1.2 or better
Protocol - Alternative Values
TLS_PROTOCOL_MIN 3.1TVSv1.0 or better
TLS_PROTOCOL_MIN 3.0Allow old clients, SSLv3 or better
Ciphers
Cipher strings for openldap/NSS need to follow a specific format as documented in the Cipher Strings with openldap / NSS article.
TLS_CIPHER_SUITE ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!EDH:!EXP:!SSLV2:!eNULL
Strongest available ciphers only
Ciphers - Alternative Values
TLS_CIPHER_SUITE EECDH:EDH:CAMELLIA:ECDH:RSA:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DESStrongest ciphers only
TLS_CIPHER_SUITE ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOWAllow very old servers
Certificate Handling
openldap clients expects the CA for the server
Certificate Authority
TLS_CACERT /etc/openldap/rhel6-64.example.com.ca.pem
Root certificate for the certificate presented by the server
Comments