If slapd is built with support for Transport Layer Security,
there are more options you can specify.
olcTLSCipherSuite: <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the
preference order. <cipher-suite-spec> should be a cipher
specification for the TLS library in use (OpenSSL or
GnuTLS). Example:
OpenSSL:
olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
GnuTLS:
olcTLSCiphersuite: SECURE256:!AES-128-CBC
To check what ciphers a given spec selects in OpenSSL,
use:
openssl ciphers -v <cipher-suite-spec>
With GnuTLS the available specs can be found in the manual
page of gnutls-cli(1) (see the description of the option
--priority).
In older versions of GnuTLS, where gnutls-cli does not
support the option --priority, you can obtain the — more
limited — list of ciphers by calling:
gnutls-cli -l
olcTLSCACertificateFile: <filename>
Specifies the file that contains certificates for all of
the Certificate Authorities that slapd will recognize.
The certificate for the CA that signed the server
certificate must be included among these certificates. If
the signing CA was not a top-level (root) CA, certificates
for the entire sequence of CA's from the signing CA to the
top-level CA should be present. Multiple certificates are
simply appended to the file; the order is not significant.
olcTLSCACertificatePath: <path>
Specifies the path of directories that contain Certificate
Authority certificates in separate individual files.
Usually only one of this or the olcTLSCACertificateFile is
defined. If both are specified, both locations will be
used. Multiple directories may be specified, separated by
a semi-colon.
olcTLSCertificateFile: <filename>
Specifies the file that contains the slapd server
certificate.
When using OpenSSL that file may also contain any number
of intermediate certificates after the server certificate.
olcTLSCertificateKeyFile: <filename>
Specifies the file that contains the slapd server private
key that matches the certificate stored in the
olcTLSCertificateFile file. If the private key is
protected with a password, the password must be manually
typed in when slapd starts. Usually the private key is
not protected with a password, to allow slapd to start
without manual intervention, so it is of critical
importance that the file is protected carefully.
olcTLSDHParamFile: <filename>
This directive specifies the file that contains parameters
for Diffie-Hellman ephemeral key exchange. This is
required in order to use a DSA certificate on the server,
or an RSA certificate missing the "key encipherment" key
usage. Note that setting this option may also enable
Anonymous Diffie-Hellman key exchanges in certain non-
default cipher suites. Anonymous key exchanges should
generally be avoided since they provide no actual client
or server authentication and provide no protection against
man-in-the-middle attacks. You should append "!ADH" to
your cipher suites to ensure that these suites are not
used.
olcTLSECName: <name>
Specify the name of the curve(s) to use for Elliptic curve
Diffie-Hellman ephemeral key exchange. This option is
only used for OpenSSL. This option is not used with
GnuTLS; the curves may be chosen in the GnuTLS ciphersuite
specification.
olcTLSProtocolMin: <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be
negotiated. If the server doesn't support at least that
version, the SSL handshake will fail. To require TLS 1.x
or higher, set this option to 3.(x+1), e.g.,
olcTLSProtocolMin: 3.2
would require TLS 1.1. Specifying a minimum that is
higher than that supported by the OpenLDAP implementation
will result in it requiring the highest level that it does
support. This directive is ignored with GnuTLS.
olcTLSRandFile: <filename>
Specifies the file to obtain random bits from when
/dev/[u]random is not available. Generally set to the
name of the EGD/PRNGD socket. The environment variable
RANDFILE can also be used to specify the filename. This
directive is ignored with GnuTLS.
olcTLSVerifyClient: <level>
Specifies what checks to perform on client certificates in
an incoming TLS session, if any. The <level> can be
specified as one of the following keywords:
never This is the default. slapd will not ask the client
for a certificate.
allow The client certificate is requested. If no
certificate is provided, the session proceeds
normally. If a bad certificate is provided, it
will be ignored and the session proceeds normally.
try The client certificate is requested. If no
certificate is provided, the session proceeds
normally. If a bad certificate is provided, the
session is immediately terminated.
demand | hard | true
These keywords are all equivalent, for
compatibility reasons. The client certificate is
requested. If no certificate is provided, or a bad
certificate is provided, the session is immediately
terminated.
Note that a valid client certificate is required in
order to use the SASL EXTERNAL authentication
mechanism with a TLS session. As such, a non-
default olcTLSVerifyClient setting must be chosen
to enable SASL EXTERNAL authentication.
olcTLSCRLCheck: <level>
Specifies if the Certificate Revocation List (CRL) of the
CA should be used to verify if the client certificates
have not been revoked. This requires
olcTLSCACertificatePath parameter to be set. This
parameter is ignored with GnuTLS. <level> can be
specified as one of the following keywords:
none No CRL checks are performed
peer Check the CRL of the peer certificate
all Check the CRL for a whole certificate chain
olcTLSCRLFile: <filename>
Specifies a file containing a Certificate Revocation List
to be used for verifying that certificates have not been
revoked. This parameter is only valid when using GnuTLS.
