Securing LDAP clients with SSL/TLS on RHEL6

Updated -

Securing LDAP clients (using openldap-2.4.40-16.el6 and/or openldap-clients (openldap-clients-2.4.40-16.el6) that uses NSS

This article is part of the Securing Applications Collection

Configuration File

   /etc/openldap/ldap.conf

shortform

URI             ldaps://rhel6-64.example.com/
TLS_CACERT      /etc/openldap/rhel6-64.example.com.ca.pem
TLS_REQCERT     demand
TLS_CIPHER_SUITE     ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL
TLS_PROTOCOL_MIN 3.3

Protocols

TLS_PROTOCOL_MIN 3.3

Use TLSv1.2 or better

Protocol - Alternative Values

TLS_PROTOCOL_MIN 3.1

TVSv1.0 or better

TLS_PROTOCOL_MIN 3.0

Allow old clients, SSLv3 or better

Ciphers

Cipher strings for openldap/NSS need to follow a specific format as documented in the Cipher Strings with openldap / NSS article.

    TLS_CIPHER_SUITE ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!EDH:!EXP:!SSLV2:!eNULL

Strongest available ciphers only

Ciphers - Alternative Values

   TLS_CIPHER_SUITE EECDH:EDH:CAMELLIA:ECDH:RSA:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES

Strongest ciphers only

   TLS_CIPHER_SUITE  ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Allow very old servers

Certificate Handling

openldap clients expects the CA for the server

Certificate Authority

TLS_CACERT      /etc/openldap/rhel6-64.example.com.ca.pem

Root certificate for the certificate presented by the server