LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-26-2015, 01:47 PM   #1
YankeePride13
Member
 
Registered: Aug 2012
Distribution: Ubuntu 10.04, CentOS 6.3, Windows 7
Posts: 262

Rep: Reputation: 55
Openldap disabling SSL Ciphers


I'm putting up an instance of OpenLdap for testing purposes. One of the first things I did after I installed the system was run a security scan on the system to see what obvious holes I needed to plug. One of them was that RC4 SSL ciphers were allowed in my instance. I have been searching for how to disable SSL ciphers in openldap (my version uses cn=config style configuration) and haven't found an answer yet. Can someone shed some light? I figured I'd post this here and see if anyone came up with anything while I continue to do research on it.

While we are on the subject, what is the preferred set of Ciphers that everyone is currently using?
 
Old 05-26-2015, 02:49 PM   #2
YankeePride13
Member
 
Registered: Aug 2012
Distribution: Ubuntu 10.04, CentOS 6.3, Windows 7
Posts: 262

Original Poster
Rep: Reputation: 55
So I think I got a little closer. I know that I need to modify the olcTLSCipherSuite attribute. Here's what I have so far:

Code:
ldapmodify -D "cn=admin,dc=example,dc=com" -W -H ldapi:/// -f ./ciphers.ldif
ciphers.ldif:
Code:
dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:MEDIUM:!ADH:!MD5:!RC4
When I run the command, I get an error saying :
Code:
modifying entry "cn=config"
ldap_modify: Insufficient access (50)
I know that the credentials are correct because I am able to do an ldap search using the same admin account and password without issue and am able to bind with it. It's the admin user, so it should have the required access. Anyone see what I am doing wrong?
 
Old 05-26-2015, 03:54 PM   #3
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,159
Blog Entries: 1

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
Quote:
modifying entry "cn=config"
ldap_modify: Insufficient access (50)

I know that the credentials are correct because I am able to do an ldap search using the same admin account and password without issue and am able to bind with it. It's the admin user, so it should have the required access. Anyone see what I am doing wrong?
You need a different admin to do changes in cn=config. By default it's cn=admin,cn=config, so try this:
Code:
ldapmodify -D "cn=admin,cn=config" -W -H ldapi:/// -f ./ciphers.ldif
Most likely the password is the same for both admins
 
1 members found this post helpful.
Old 05-27-2015, 08:36 AM   #4
YankeePride13
Member
 
Registered: Aug 2012
Distribution: Ubuntu 10.04, CentOS 6.3, Windows 7
Posts: 262

Original Poster
Rep: Reputation: 55
Thanks! This was a big help. I had to add the cn=admin,cn=config password but once I did that, I was able to get past the insufficent access issue.

I did run into another issue, however. Apparantly Openldap doesn't like the openssl style cipher names (I.E. HIGH:MEDIUM:!ADH:!MD5:!RC4). It only likes gnutls cipher names. Once i switched the olcTLSCipherSuite to gnutls cipher names, it worked. The only issue now is I have to find out a gnutls cipher list that excludes RC4 based ciphers. If I find it, I'll post it here. If anyone else knows off the top of their head, please let me know!

Thanks again!
 
Old 05-27-2015, 08:41 AM   #5
YankeePride13
Member
 
Registered: Aug 2012
Distribution: Ubuntu 10.04, CentOS 6.3, Windows 7
Posts: 262

Original Poster
Rep: Reputation: 55
Got it:

Code:
olcTLSCipherSuite: SECURE:-VERS-SSL3.0:-ARCFOUR-128
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SSL: disable RC4 ,CBC and weak ciphers Highjo Linux - Security 3 10-04-2014 11:48 AM
Need help disabling weak SSL ciphers for PCI scan neodaemon Linux - Server 1 10-17-2013 02:45 AM
OpenLDAP SSL Installation netmaster3620 Linux - Server 1 01-03-2013 06:41 PM
OpenLDAP and TLS-SSL karlochacon Linux - Server 5 02-03-2011 01:01 AM
weak ssl ciphers in webmin hari_seldon99 Linux - Security 2 12-04-2004 06:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 07:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration