One of the security options that OpenLDAP offers is to not accept TLS connections below a certain grade. The OpenLDAP cn=config option is called ‘olcLocalSSF’. If you set it to 256 then any LDAP client will need to connect with a 256 bit ciphersuite or else the TLS connection will fail.
After an update of OpenLDAP to 2.4.40 on an up-to-date CentOS 6.5 box (which also had a recent OpenSSL update) the TLS connection between Postfix and OpenLDAP stopped working. The problem as reported by the client (a Postfix ldap lookup) was just:
1 |
dict_ldap_lookup: Search error 13: Confidentiality required |
Not very helpful so after increasing the olcLogLevel in OpenLDAP to 256 the following started to show up in the log:
1 2 3 |
Aug 14 02:41:51 r83c24 slapd[5066]: conn=1123 fd=22 TLS established tls_ssf=128 ssf=128 ... Aug 14 02:41:51 r83c24 slapd[5066]: conn=1123 op=1 RESULT tag=97 err=13 text=stronger confidentiality required |
Notice the “tls_ssf=128” and text “stronger confidentiality required”? It tells you that the client connects with a 128 bit ciphersuite which is clearly not enough as 256 bit is required. So the TLS connection fails.
The solution is to make the client use a 256 bit ciphersuite.
In ldap.conf or ldaprc add:
1 |
TLS_CIPHER_SUITE AES256 |
And if you use Postfix ldap_table lookups then add in your /etc/postfix/<ldap-table>.cf config file:
1 |
tls_cipher_suite = AES256 |