A common question that comes up on the LDAP mailing list and among peers of mine who work with OpenLDAP is “how do I force clients to use secure connections when connecting to my LDAP directory?”.
The correct way to require TLS using OpenLDAP is to set
under cn=config using the olcSecurity attribute.
Here is a sample LDIF that will allow a dynamic update to your directory.
dn: cn=config changetype: modify add: olcSecurity olcSecurity: minssf=256
Be sure all clients support TLS connections before enforcing this requirement to minimize down time.
To add the LDIF above, copy the text to require-tls.ldif, and execute the following command:
ldapmodify -xZZH ldap://$LDAPHOST/ -D "cn=admin,cn=config" -w $BINDPW -f require-tls.ldif