Configuring the LDAP TLS Required Option

[Cool Solutions]

Configuring the LDAP TLS Required Option
01-Oct-2009 11:49 AM

This article is useful for administrators who use eDirectory as their LDAP Server. Those who are new to LDAP would have been facing this error frequently, when they go via the clear text port:

ldap_bind: Confidentiality required (13)

as shown below.

http://www.novell.com/communities/fi...9/9089-1_0.jpg
Click to view.


The reason for this is that the configuration parameter related to the 'Require TLS for operations' in the ldap server object is set.

This parameter can be modified either through the ldapconfig utility (that gets bundled with eDirectory) or through iManager.

Through 'ldapconfig':

1. Run 'ldapconfig get' with the necessary options to check the status of those parameters.
   http://www.novell.com/communities/fi...9/9089-2_0.jpg
   Click to view.
   
   
   
   Here it can be seen that the parameters 'ldapTLSRequired' (for all the ldap operations) and 'Require TLS for Simple Binds with Password' (for ldap simple binds alone) are set to yes. These are the default values and are the recommended values from the security purpose.
   For testing purposes, if the ldap operations need to proceed over the clear text channel, then these options need to be unset as follows.
2. Unset the 'ldapTLSRequired' option and the 'Require TLS for Simple Binds with Password' option.
   http://www.novell.com/communities/fi...9/9089-3_0.jpg
   Click to view.
   
   
   
3. Now run the 'ldapconfig get' again to verify that these options are properly unset.
   http://www.novell.com/communities/fi...9/9089-4_0.jpg
   Click to view.
   
   
   
   Note that the parameters 'ldapTLSRequired' (for all the ldap operations) and 'Require TLS for Simple Binds with Password' (for ldap simple binds alone) are set to 'NO' now.
4. Now ldap operations over the clear text layer can be proceeded.
   http://www.novell.com/communities/fi...9/9089-5_0.jpg
   Click to view.
   
   
   

Through iManager:

The same thing can be configured through iManager as well as follows:

1. Login to the tree through iManager.
2. Go to the Directory administration tab and then to the modify object tab.
3. Select the LDAP Server object through the object browser and click ok.
   http://www.novell.com/communities/fi...9/9089-6_0.jpg
   Click to view.
   
   
   
4. Now it can be seen that the 'Require TLS for all operations' check box is checked.
   http://www.novell.com/communities/fi...9/9089-7_0.jpg
   Click to view.
   
   
   
5. Un-check that check box and click 'ok'.
   http://www.novell.com/communities/fi...9/9089-8_0.jpg
   Click to view.
   
   
   
6. Again go back to the Directory Administration->Modify Object tab and select the LDAP group object through the object browser and click 'OK'.
   http://www.novell.com/communities/fi...9/9089-9_0.jpg
   Click to view.
   
   
   
7. You can see that “Require TLS for Simple Binds with Password” option is enabled.
   http://www.novell.com/communities/fi.../9089-10_0.jpg
   Click to view.
   
   
   
8. Un-check that and click Apply/OK.
   http://www.novell.com/communities/fi.../9089-11_0.jpg
   Click to view.
   
   
   
9. Now ldap operations over the clear text layer can proceed.
   http://www.novell.com/communities/fi.../9089-12_0.jpg
   Click to view.
   
   
   

• Cool Solutions

More...