Securing LDAP clients with SSL/TLS on RHEL7

Updated -

Securing LDAP clients (using openldap-2.4.44-5.el7 and/or openldap-clients-2.4.44-5.el7) that uses NSS

This article is part of the Securing Applications Collection

Configuration File

/etc/openldap/ldap.conf

shortform

URI             ldaps://rhel7-64.example.com/
TLS_CACERT      /etc/openldap/rhel7-64.example.com.ca.pem
TLS_REQCERT     demand
TLS_CIPHERS   ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL
TLS_PROTOCOL_MIN 3.3

Protocols

  • TLS_PROTOCOL_MIN 3.3 : Use TLSv1.2 or better
  • TLS_PROTOCOL_MIN 3.1 : TVSv1.0 or better
  • TLS_PROTOCOL_MIN 3.0 : Allow old clients, SSLv3 or better

Ciphers

Cipher strings for openldap/NSS need to follow a specific format as documented in the Cipher Strings with openldap / NSS article.

TLS_CIPHERS ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!EDH:!EXP:!SSLV2:!eNULL

Strongest available ciphers only

Ciphers - Alternative Values

TLS_CIPHERS EECDH:EDH:CAMELLIA:ECDH:RSA:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES

Strongest ciphers only

TLS_CIPHERS  ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Allow very old servers

Certificate Handling

openldap clients expects the CA for the server

Certificate Authority

TLS_CACERT      /etc/openldap/rhel6-64.example.com.ca.pem

Root certificate for the certificate presented by the server

Comments