The ldap.conf configuration file contains information and configuration directives used by OpenLDAP clients including where appropriate OpenLDAP utilities.
Which TLS Client directives are used depends upon whether the TLS Client will send an X.509 certificate and validate a TLS Server certificate in which case most of the directives are required - or only validate a TLS Server certificate in which case only the TLS_CACERT and optionally the TLS_CIPHER_SUITE directives are required. The required directives when used with a TLS Client certificate are indicated by the keyword CLIENT, mutual authentication with the keyword MUTUAL and TLS Server only with the keyword SERVER.
TLS Client directive (SERVER). Defines the path and file name of the Certicate Authority certificate (a.k.a the root certificate) and allows the client to verify the LDAP Server certificate. This file is required if either a self-signed or a commercial certicate is being used and the root certicate must be obtained from the X.509 certificate supplier (or, if self-signed, copied from the LDAP server by some secure process). This file is normally in PEM (Privacy enhanced Mail) format (and typically has a .pem suffix or , if obtained from an MSIE browser installation, have a .cer suffix). If the operational X.509 certificate (defined in TLSCertificateFile is signed by intermediate authorities then all these certificates must be present within this PEM format file. PEM is a text format and multiple certificates can edited into the same file in any order - see PEM format notes and samples. OpenLDAP self-signed certificate configuration examples. This file contains no sensitive information (an X.509 certificate contains only a public key).
TLS Client directive (SERVER+CLIENT+MUTUAL). This is an optional directive and defaults to the value ALL (equivalent of openssl ciphers -v ALL). Defines one or more cipher suites to be used during the TLS handshake negotiation. During this negotiation the TLS Client offers a list of cipher suites and the TLS server will accept the first cipher suite defined in its list that matches one from the client. The term cipher-list used in this directive description defines a list (in OpenSSL format) that will be converted by OpenSSL libraries to a list of cipher suites in TLS/SSL format. More information about the cipher-list format may be obtained from the OpenSSL ciphers documentation. OpenLDAP self-signed certificate configuration examples.
The list of acceptable cipher-suites (and hence the cipher-list) is determined by the format of the public key contained within the X.509 certificate defined by the TLS_CERT directive if the TLS Client will send a certificate or will be obtained from the TLS Servers certificate if only Server certificate validation is to be performed or by both if mutual cerrtificate exchange takes place. Thus if the certificate(s) contain an RSA public key then only RSA public key cipher suites can be used for the key-exchange/authentication parts of the TLS handshake. If the incoming TLS Server certificate public-key encryption algorithm is unknown then ALL should be used (see commands below). Individual items in the cipher-list are separated by a colon (:), comma or space. The following is a subset of RSA TLSv1 names that could appear in a cipher-list and their equivalent TLS cipher suite text values (they are converted to hex values when sent on the wire). Note: The word EXPORT (or EXP) that appears in some of the following names refers to export strength ciphers, that is, some ciphers are only permitted in certain countries (see US Dept of Commerce Bureau of Industry and Security(BIS) and the Wassenaar Arrangement) and should be considered when configuring TLS systems that will be used internationally.
TLS CIPHER-SUITE NAME OPENSSL CIPHER-LIST NAME ============================== =================== TLS_RSA_WITH_NULL_MD5 NULL-MD5 TLS_RSA_WITH_NULL_SHA NULL-SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5 TLS_RSA_WITH_RC4_128_MD5 RC4-MD5 TLS_RSA_WITH_RC4_128_SHA RC4-SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5 TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA TLS_RSA_WITH_DES_CBC_SHA DES-CBC-SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DES-CBC-SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA EXP1024-RC4-SHA
To list the cipher-list values supported by the local OpenSSL installation use:
# ALL valid ciphers openssl ciphers -v ALL # ALL valid ciphers for TLSv1 only openssl ciphers -v -tls1 ALL # valid ciphers for TLSv1 only that use RSA # key exchange/authentication algorithm openssl ciphers -v -tls1 RSA # valid ciphers for TLSv1 only that use RSA # key exchange/authentication algorithm # exclude export strength ciphers openssl ciphers -v -tls1 RSA:!EXP # NOTE: on certain shells you need to escape ! openssl ciphers -v -tls1 RSA:\!EXP # as above but also exclude NULL suites openssl ciphers -v -tls1 RSA:!EXP:!NULL # NOTE: on certain shells you need to escape ! openssl ciphers -v -tls1 RSA:\!EXP:\!NULL # valid ciphers for TLSv1 only that use RSA # key exchange/authentication algorithm # only export strength ciphers openssl ciphers -v -tls1 RSA:EXP # OR openssl ciphers -v TLSv1+RSA:EXP
When used with TLS_CIPHER_SUITE either the generic parameters, for example RSA, shown with the openssl ciphers command above can be used (in which case the order of preference is defined by openssl) or an explicit list of ciphers can be defined in order of preference. One or more of the supported items in the cipher-list must be supported by the TLS Server. The cipher suite matching algorithm (which cipher suite is selected) is the first (highest preference) cipher suite provided by the client which is also supported by the server becomes the negotiated (session) cipher suite. The following examples use the TLSv1 (SSLv3) subset only:
# Cipher-list contains only RSA based # authentication and key-exchange suites # supported by TLSv1 (and SSLv3) TLS_CIPHER_SUITE TLSv1+RSA # Cipher-list contains only RSA based # authentication and key-exchange suites # supported by TLSv1 (and SSLv3) # excludes EXPORT and NULL suites TLS_CIPHER_SUITE TLSv1+RSA:!EXPORT:!NULL # Ordered list of RSA based # authentication and key-exchange suites TLS_CIPHER_SUITE DES-CBC-SHA:DES-CBC3-SHA:RC4-SHA:RC4-MD5 # All ciphers excluding NULL TLS_CIPHER_SUITE ALL:!NULL # Default equivalent value if not defined TLS_CIPHER_SUITE ALL
Note: OpenSSL supports a number of cipher suites which will result in a NULL bulk data cipher and MAC. This means that while authentication is performed securely all data is subsequently sent in the clear. To prevent this from occurring either use the !NULL value in the cipher-list or define an explicit list that excludes NULL ciphers.
One day real soon now ™
Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.
3 ldap objects
4 install ldap
7 replica & refer
10 ldap api
14 ldap tools
notes & info
rfc's & x.500
This work is licensed under a Creative Commons License.
If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox