If lloadd is built with support for Transport Layer Security,
there are more options you can specify.
TLSShareSlapdCTX { on | off }
If set to no (the default), lloadd will use its own TLS
context (needs to be configured via cn=config unless
lloadd is run as a standalone daemon). If enabled, the
options for slapd apply instead, since the slapd's TLS
context is used then.
The following options are available only when compiled as a
standalone daemon. When compiled as a slapd(8) module, the
cn=config equivalents need to be used if a separate TLS context
for the module is needed, otherwise use the TLSShareSlapdCTX
option.
TLSCipherSuite <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the
preference order. <cipher-suite-spec> should be a cipher
specification for the TLS library in use (OpenSSL, GnuTLS,
or Mozilla NSS). Example:
OpenSSL:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
GnuTLS:
TLSCiphersuite SECURE256:!AES-128-CBC
To check what ciphers a given spec selects in OpenSSL,
use:
openssl ciphers -v <cipher-suite-spec>
With GnuTLS the available specs can be found in the manual
page of gnutls-cli(1) (see the description of the option
--priority).
In older versions of GnuTLS, where gnutls-cli does not
support the option --priority, you can obtain the — more
limited — list of ciphers by calling:
gnutls-cli -l
When using Mozilla NSS, the OpenSSL cipher suite
specifications are used and translated into the format
used internally by Mozilla NSS. There isn't an easy way
to list the cipher suites from the command line. The
authoritative list is in the source code for Mozilla NSS
in the file sslinfo.c in the structure
static const SSLCipherSuiteInfo suiteInfo[]
TLSCACertificateFile <filename>
Specifies the file that contains certificates for all of
the Certificate Authorities that lloadd will recognize.
The certificate for the CA that signed the server
certificate must be included among these certificates. If
the signing CA was not a top-level (root) CA, certificates
for the entire sequence of CA's from the signing CA to the
top-level CA should be present. Multiple certificates are
simply appended to the file; the order is not significant.
TLSCACertificatePath <path>
Specifies the path of a directory that contains
Certificate Authority certificates in separate individual
files. Usually only one of this or the
TLSCACertificateFile is used. This directive is not
supported when using GnuTLS.
When using Mozilla NSS, <path> may contain a Mozilla NSS
cert/key database. If <path> contains a Mozilla NSS
cert/key database and CA cert files, OpenLDAP will use the
cert/key database and will ignore the CA cert files.
TLSCertificateFile <filename>
Specifies the file that contains the lloadd server
certificate.
When using Mozilla NSS, if using a cert/key database
(specified with TLSCACertificatePath), TLSCertificateFile
specifies the name of the certificate to use:
TLSCertificateFile Server-Cert
If using a token other than the internal built in token,
specify the token name first, followed by a colon:
TLSCertificateFile my hardware device:Server-Cert
Use certutil -L to list the certificates by name:
certutil -d /path/to/certdbdir -L
TLSCertificateKeyFile <filename>
Specifies the file that contains the lloadd server private
key that matches the certificate stored in the
TLSCertificateFile file. Currently, the private key must
not be protected with a password, so it is of critical
importance that it is protected carefully.
When using Mozilla NSS, TLSCertificateKeyFile specifies
the name of a file that contains the password for the key
for the certificate specified with TLSCertificateFile.
The modutil command can be used to turn off password
protection for the cert/key database. For example, if
TLSCACertificatePath specifies /etc/openldap/certdb as the
location of the cert/key database, use modutil to change
the password to the empty string:
modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
You must have the old password, if any. Ignore the
WARNING about the running browser. Press 'Enter' for the
new password.
TLSDHParamFile <filename>
This directive specifies the file that contains parameters
for Diffie-Hellman ephemeral key exchange. This is
required in order to use a DSA certificate on the server,
or an RSA certificate missing the "key encipherment" key
usage. Note that setting this option may also enable
Anonymous Diffie-Hellman key exchanges in certain non-
default cipher suites. Anonymous key exchanges should
generally be avoided since they provide no actual client
or server authentication and provide no protection against
man-in-the-middle attacks. You should append "!ADH" to
your cipher suites to ensure that these suites are not
used. When using Mozilla NSS these parameters are always
generated randomly so this directive is ignored.
TLSECName <name>
Specify the name of a curve to use for Elliptic curve
Diffie-Hellman ephemeral key exchange. This is required
to enable ECDHE algorithms in OpenSSL. This option is not
used with GnuTLS; the curves may be chosen in the GnuTLS
ciphersuite specification. This option is also ignored for
Mozilla NSS.
TLSProtocolMin <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be
negotiated. If the server doesn't support at least that
version, the SSL handshake will fail. To require TLS 1.x
or higher, set this option to 3.(x+1), e.g.,
TLSProtocolMin 3.2
would require TLS 1.1. Specifying a minimum that is
higher than that supported by the OpenLDAP implementation
will result in it requiring the highest level that it does
support. This directive is ignored with GnuTLS.
TLSRandFile <filename>
Specifies the file to obtain random bits from when
/dev/[u]random is not available. Generally set to the
name of the EGD/PRNGD socket. The environment variable
RANDFILE can also be used to specify the filename. This
directive is ignored with GnuTLS and Mozilla NSS.
TLSVerifyClient <level>
Specifies what checks to perform on client certificates in
an incoming TLS session, if any. The <level> can be
specified as one of the following keywords:
never This is the default. lloadd will not ask the
client for a certificate.
allow The client certificate is requested. If no
certificate is provided, the session proceeds
normally. If a bad certificate is provided, it
will be ignored and the session proceeds normally.
try The client certificate is requested. If no
certificate is provided, the session proceeds
normally. If a bad certificate is provided, the
session is immediately terminated.
demand | hard | true
These keywords are all equivalent, for
compatibility reasons. The client certificate is
requested. If no certificate is provided, or a bad
certificate is provided, the session is immediately
terminated.
TLSCRLCheck <level>
Specifies if the Certificate Revocation List (CRL)
of the CA should be used to verify if the client
certificates have not been revoked. This requires
TLSCACertificatePath parameter to be set. This
directive is ignored with GnuTLS and Mozilla NSS.
<level> can be specified as one of the following
keywords:
none No CRL checks are performed
peer Check the CRL of the peer certificate
all Check the CRL for a whole certificate chain
TLSCRLFile <filename>
Specifies a file containing a Certificate
Revocation List to be used for verifying that
certificates have not been revoked. This directive
is only valid when using GnuTLS and Mozilla NSS.
