---

   lloadd.conf    ( 5 )

---

Параметры TLS (Безопасность транспортного уровня) (TLS(Transport Layer Security) options)

If lloadd is built with support for Transport Layer Security, there are more options you can specify.

TLSShareSlapdCTX { on | off } If set to no (the default), lloadd will use its own TLS context (needs to be configured via cn=config unless lloadd is run as a standalone daemon). If enabled, the options for slapd apply instead, since the slapd's TLS context is used then.

The following options are available only when compiled as a standalone daemon. When compiled as a slapd(8) module, the cn=config equivalents need to be used if a separate TLS context for the module is needed, otherwise use the TLSShareSlapdCTX option.

TLSCipherSuite <cipher-suite-spec> Permits configuring what ciphers will be accepted and the preference order. <cipher-suite-spec> should be a cipher specification for the TLS library in use (OpenSSL, GnuTLS, or Mozilla NSS). Example:

OpenSSL: TLSCipherSuite HIGH:MEDIUM:+SSLv2

GnuTLS: TLSCiphersuite SECURE256:!AES-128-CBC

To check what ciphers a given spec selects in OpenSSL, use:

openssl ciphers -v <cipher-suite-spec>

With GnuTLS the available specs can be found in the manual page of gnutls-cli(1) (see the description of the option --priority).

In older versions of GnuTLS, where gnutls-cli does not support the option --priority, you can obtain the — more limited — list of ciphers by calling:

gnutls-cli -l

When using Mozilla NSS, the OpenSSL cipher suite specifications are used and translated into the format used internally by Mozilla NSS. There isn't an easy way to list the cipher suites from the command line. The authoritative list is in the source code for Mozilla NSS in the file sslinfo.c in the structure static const SSLCipherSuiteInfo suiteInfo[]

TLSCACertificateFile <filename> Specifies the file that contains certificates for all of the Certificate Authorities that lloadd will recognize. The certificate for the CA that signed the server certificate must be included among these certificates. If the signing CA was not a top-level (root) CA, certificates for the entire sequence of CA's from the signing CA to the top-level CA should be present. Multiple certificates are simply appended to the file; the order is not significant.

TLSCACertificatePath <path> Specifies the path of a directory that contains Certificate Authority certificates in separate individual files. Usually only one of this or the TLSCACertificateFile is used. This directive is not supported when using GnuTLS.

When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key database. If <path> contains a Mozilla NSS cert/key database and CA cert files, OpenLDAP will use the cert/key database and will ignore the CA cert files.

TLSCertificateFile <filename> Specifies the file that contains the lloadd server certificate.

When using Mozilla NSS, if using a cert/key database (specified with TLSCACertificatePath), TLSCertificateFile specifies the name of the certificate to use: TLSCertificateFile Server-Cert If using a token other than the internal built in token, specify the token name first, followed by a colon: TLSCertificateFile my hardware device:Server-Cert Use certutil -L to list the certificates by name: certutil -d /path/to/certdbdir -L

TLSCertificateKeyFile <filename> Specifies the file that contains the lloadd server private key that matches the certificate stored in the TLSCertificateFile file. Currently, the private key must not be protected with a password, so it is of critical importance that it is protected carefully.

When using Mozilla NSS, TLSCertificateKeyFile specifies the name of a file that contains the password for the key for the certificate specified with TLSCertificateFile. The modutil command can be used to turn off password protection for the cert/key database. For example, if TLSCACertificatePath specifies /etc/openldap/certdb as the location of the cert/key database, use modutil to change the password to the empty string: modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB' You must have the old password, if any. Ignore the WARNING about the running browser. Press 'Enter' for the new password.

TLSDHParamFile <filename> This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on the server, or an RSA certificate missing the "key encipherment" key usage. Note that setting this option may also enable Anonymous Diffie-Hellman key exchanges in certain non- default cipher suites. Anonymous key exchanges should generally be avoided since they provide no actual client or server authentication and provide no protection against man-in-the-middle attacks. You should append "!ADH" to your cipher suites to ensure that these suites are not used. When using Mozilla NSS these parameters are always generated randomly so this directive is ignored.

TLSECName <name> Specify the name of a curve to use for Elliptic curve Diffie-Hellman ephemeral key exchange. This is required to enable ECDHE algorithms in OpenSSL. This option is not used with GnuTLS; the curves may be chosen in the GnuTLS ciphersuite specification. This option is also ignored for Mozilla NSS.

TLSProtocolMin <major>[.<minor>] Specifies minimum SSL/TLS protocol version that will be negotiated. If the server doesn't support at least that version, the SSL handshake will fail. To require TLS 1.x or higher, set this option to 3.(x+1), e.g.,

TLSProtocolMin 3.2

would require TLS 1.1. Specifying a minimum that is higher than that supported by the OpenLDAP implementation will result in it requiring the highest level that it does support. This directive is ignored with GnuTLS.

TLSRandFile <filename> Specifies the file to obtain random bits from when /dev/[u]random is not available. Generally set to the name of the EGD/PRNGD socket. The environment variable RANDFILE can also be used to specify the filename. This directive is ignored with GnuTLS and Mozilla NSS.

TLSVerifyClient <level> Specifies what checks to perform on client certificates in an incoming TLS session, if any. The <level> can be specified as one of the following keywords:

never This is the default. lloadd will not ask the client for a certificate.

allow The client certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally.

try The client certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated.

demand | hard | true These keywords are all equivalent, for compatibility reasons. The client certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.

TLSCRLCheck <level> Specifies if the Certificate Revocation List (CRL) of the CA should be used to verify if the client certificates have not been revoked. This requires TLSCACertificatePath parameter to be set. This directive is ignored with GnuTLS and Mozilla NSS. <level> can be specified as one of the following keywords:

none No CRL checks are performed

peer Check the CRL of the peer certificate

all Check the CRL for a whole certificate chain

TLSCRLFile <filename> Specifies a file containing a Certificate Revocation List to be used for verifying that certificates have not been revoked. This directive is only valid when using GnuTLS and Mozilla NSS.