Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   ldap.conf    ( 5 )

файл конфигурации LDAP / переменные среды (LDAP configuration file/environment variables)
  Name  |  Synopsis  |  Description  |  Syntax  |  Options  |  Sasl options  |  Gssapi options  |    Tls(transport layer security) options    |  Environment variables  |  Files  |  See also  |

Параметры TLS (Безопасность транспортного уровня) (TLS(Transport Layer Security) options)

If OpenLDAP is built with Transport Layer Security support, there are more options you can specify. These options are used when an ldaps:// URI is selected (by default or otherwise) or when the application negotiates TLS by issuing the LDAP StartTLS operation.

TLS_CACERT <filename> Specifies the file that contains certificates for all of the Certificate Authorities the client will recognize.

TLS_CACERTDIR <path> Specifies the path of directories that contain Certificate Authority certificates in separate individual files. Multiple directories may be specified, separated by a semi-colon. The TLS_CACERT is always used before TLS_CACERTDIR.

TLS_CERT <filename> Specifies the file that contains the client certificate. This is a user-only option.

TLS_ECNAME <name> Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman ephemeral key exchange. This option is only used for OpenSSL. This option is not used with GnuTLS; the curves may be chosen in the GnuTLS ciphersuite specification.

TLS_KEY <filename> Specifies the file that contains the private key that matches the certificate stored in the TLS_CERT file. Currently, the private key must not be protected with a password, so it is of critical importance that the key file is protected carefully. This is a user-only option.

TLS_CIPHER_SUITE <cipher-suite-spec> Specifies acceptable cipher suite and preference order. <cipher-suite-spec> should be a cipher specification for the TLS library in use (OpenSSL or GnuTLS). Example:

OpenSSL: TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv2

GnuTLS: TLS_CIPHER_SUITE SECURE256:!AES-128-CBC

To check what ciphers a given spec selects in OpenSSL, use:

openssl ciphers -v <cipher-suite-spec>

With GnuTLS the available specs can be found in the manual page of gnutls-cli(1) (see the description of the option --priority).

In older versions of GnuTLS, where gnutls-cli does not support the option --priority, you can obtain the — more limited — list of ciphers by calling:

gnutls-cli -l

TLS_PROTOCOL_MIN <major>[.<minor>] Specifies minimum SSL/TLS protocol version that will be negotiated. If the server doesn't support at least that version, the SSL handshake will fail. To require TLS 1.x or higher, set this option to 3.(x+1), e.g.,

TLS_PROTOCOL_MIN 3.2

would require TLS 1.1. Specifying a minimum that is higher than that supported by the OpenLDAP implementation will result in it requiring the highest level that it does support. This parameter is ignored with GnuTLS.

TLS_RANDFILE <filename> Specifies the file to obtain random bits from when /dev/[u]random is not available. Generally set to the name of the EGD/PRNGD socket. The environment variable RANDFILE can also be used to specify the filename. This parameter is ignored with GnuTLS.

TLS_REQCERT <level> Specifies what checks to perform on server certificates in a TLS session. The <level> can be specified as one of the following keywords:

never The client will not request or check any server certificate.

allow The server certificate is requested. If a bad certificate is provided, it will be ignored and the session proceeds normally.

try The server certificate is requested. If a bad certificate is provided, the session is immediately terminated.

demand | hard These keywords are equivalent and the same as try. This is the default setting.

TLS_REQSAN <level> Specifies what checks to perform on the subjectAlternativeName (SAN) extensions in a server certificate when validating the certificate name against the specified hostname of the server. The <level> can be specified as one of the following keywords:

never The client will not check any SAN in the certificate.

allow The SAN is checked against the specified hostname. If a SAN is present but none match the specified hostname, the SANs are ignored and the usual check against the certificate DN is used. This is the default setting.

try The SAN is checked against the specified hostname. If no SAN is present in the server certificate, the usual check against the certificate DN is used. If a SAN is present but doesn't match the specified hostname, the session is immediately terminated. This setting may be preferred when a mix of certs with and without SANs are in use.

demand | hard These keywords are equivalent. The SAN is checked against the specified hostname. If no SAN is present in the server certificate, or no SANs match, the session is immediately terminated. This setting should be used when only certificates with SANs are in use.

TLS_CRLCHECK <level> Specifies if the Certificate Revocation List (CRL) of the CA should be used to verify if the server certificates have not been revoked. This requires TLS_CACERTDIR parameter to be set. This parameter is ignored with GnuTLS. <level> can be specified as one of the following keywords:

none No CRL checks are performed

peer Check the CRL of the peer certificate

all Check the CRL for a whole certificate chain

TLS_CRLFILE <filename> Specifies the file containing a Certificate Revocation List to be used to verify if the server certificates have not been revoked. This parameter is only supported with GnuTLS.