Путеводитель по Руководству Linux

  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |



   slapd-config    ( 5 )

конфигурация backend для slapd (configuration backend to slapd)

Параметры TLS (Безопасность транспортного уровня) (TLS(Transport Layer Security) options)

If slapd is built with support for Transport Layer Security, there are more options you can specify.

olcTLSCipherSuite: <cipher-suite-spec> Permits configuring what ciphers will be accepted and the preference order. <cipher-suite-spec> should be a cipher specification for the TLS library in use (OpenSSL or GnuTLS). Example:

OpenSSL: olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2

GnuTLS: olcTLSCiphersuite: SECURE256:!AES-128-CBC

To check what ciphers a given spec selects in OpenSSL, use:

openssl ciphers -v <cipher-suite-spec>

With GnuTLS the available specs can be found in the manual page of gnutls-cli(1) (see the description of the option --priority).

In older versions of GnuTLS, where gnutls-cli does not support the option --priority, you can obtain the — more limited — list of ciphers by calling:

gnutls-cli -l

olcTLSCACertificateFile: <filename> Specifies the file that contains certificates for all of the Certificate Authorities that slapd will recognize. The certificate for the CA that signed the server certificate must be included among these certificates. If the signing CA was not a top-level (root) CA, certificates for the entire sequence of CA's from the signing CA to the top-level CA should be present. Multiple certificates are simply appended to the file; the order is not significant.

olcTLSCACertificatePath: <path> Specifies the path of directories that contain Certificate Authority certificates in separate individual files. Usually only one of this or the olcTLSCACertificateFile is defined. If both are specified, both locations will be used. Multiple directories may be specified, separated by a semi-colon.

olcTLSCertificateFile: <filename> Specifies the file that contains the slapd server certificate.

When using OpenSSL that file may also contain any number of intermediate certificates after the server certificate.

olcTLSCertificateKeyFile: <filename> Specifies the file that contains the slapd server private key that matches the certificate stored in the olcTLSCertificateFile file. If the private key is protected with a password, the password must be manually typed in when slapd starts. Usually the private key is not protected with a password, to allow slapd to start without manual intervention, so it is of critical importance that the file is protected carefully.

olcTLSDHParamFile: <filename> This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on the server, or an RSA certificate missing the "key encipherment" key usage. Note that setting this option may also enable Anonymous Diffie-Hellman key exchanges in certain non- default cipher suites. Anonymous key exchanges should generally be avoided since they provide no actual client or server authentication and provide no protection against man-in-the-middle attacks. You should append "!ADH" to your cipher suites to ensure that these suites are not used.

olcTLSECName: <name> Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman ephemeral key exchange. This option is only used for OpenSSL. This option is not used with GnuTLS; the curves may be chosen in the GnuTLS ciphersuite specification.

olcTLSProtocolMin: <major>[.<minor>] Specifies minimum SSL/TLS protocol version that will be negotiated. If the server doesn't support at least that version, the SSL handshake will fail. To require TLS 1.x or higher, set this option to 3.(x+1), e.g.,

olcTLSProtocolMin: 3.2

would require TLS 1.1. Specifying a minimum that is higher than that supported by the OpenLDAP implementation will result in it requiring the highest level that it does support. This directive is ignored with GnuTLS.

olcTLSRandFile: <filename> Specifies the file to obtain random bits from when /dev/[u]random is not available. Generally set to the name of the EGD/PRNGD socket. The environment variable RANDFILE can also be used to specify the filename. This directive is ignored with GnuTLS.

olcTLSVerifyClient: <level> Specifies what checks to perform on client certificates in an incoming TLS session, if any. The <level> can be specified as one of the following keywords:

never This is the default. slapd will not ask the client for a certificate.

allow The client certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally.

try The client certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated.

demand | hard | true These keywords are all equivalent, for compatibility reasons. The client certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.

Note that a valid client certificate is required in order to use the SASL EXTERNAL authentication mechanism with a TLS session. As such, a non- default olcTLSVerifyClient setting must be chosen to enable SASL EXTERNAL authentication.

olcTLSCRLCheck: <level> Specifies if the Certificate Revocation List (CRL) of the CA should be used to verify if the client certificates have not been revoked. This requires olcTLSCACertificatePath parameter to be set. This parameter is ignored with GnuTLS. <level> can be specified as one of the following keywords:

none No CRL checks are performed

peer Check the CRL of the peer certificate

all Check the CRL for a whole certificate chain

olcTLSCRLFile: <filename> Specifies a file containing a Certificate Revocation List to be used for verifying that certificates have not been revoked. This parameter is only valid when using GnuTLS.