Require TLS on OpenLDAP

A common question that comes up on the LDAP mailing list and among peers of mine who work with OpenLDAP is “how do I force clients to use secure connections when connecting to my LDAP directory?”.

The correct way to require TLS using OpenLDAP is to set

minssf=256

under cn=config using the olcSecurity attribute.

Here is a sample LDIF that will allow a dynamic update to your directory.

dn: cn=config
changetype:  modify
add: olcSecurity
olcSecurity: minssf=256

Be sure all clients support TLS connections before enforcing this requirement to minimize down time.

To add the LDIF above, copy the text to require-tls.ldif, and execute the following command:

ldapmodify -xZZH ldap://$LDAPHOST/ -D "cn=admin,cn=config" -w $BINDPW -f require-tls.ldif

Tags:

Leave a Reply