Securing LDAP clients with SSL/TLS on RHEL7
Updated -
Securing LDAP clients (using openldap-2.4.44-5.el7 and/or openldap-clients-2.4.44-5.el7) that uses NSS
This article is part of the Securing Applications Collection
Configuration File
/etc/openldap/ldap.conf
shortform
URI ldaps://rhel7-64.example.com/
TLS_CACERT /etc/openldap/rhel7-64.example.com.ca.pem
TLS_REQCERT demand
TLS_CIPHERS ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL
TLS_PROTOCOL_MIN 3.3
Protocols
TLS_PROTOCOL_MIN 3.3: Use TLSv1.2 or betterTLS_PROTOCOL_MIN 3.1: TVSv1.0 or betterTLS_PROTOCOL_MIN 3.0: Allow old clients, SSLv3 or better
Ciphers
Cipher strings for openldap/NSS need to follow a specific format as documented in the Cipher Strings with openldap / NSS article.
TLS_CIPHERS ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!EDH:!EXP:!SSLV2:!eNULL
Strongest available ciphers only
Ciphers - Alternative Values
TLS_CIPHERS EECDH:EDH:CAMELLIA:ECDH:RSA:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES
Strongest ciphers only
TLS_CIPHERS ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
Allow very old servers
Certificate Handling
openldap clients expects the CA for the server
Certificate Authority
TLS_CACERT /etc/openldap/rhel6-64.example.com.ca.pem
Root certificate for the certificate presented by the server
Comments