Configuring the LDAP TLS Required Option



By: palaniappan1

October 1, 2009 11:49 am

Reads: 494

Comments:1

Rating:0

This article is useful for administrators who use eDirectory as their LDAP Server. Those who are new to LDAP would have been facing this error frequently, when they go via the clear text port:

ldap_bind: Confidentiality required (13)

as shown below.

The reason for this is that the configuration parameter related to the ‘Require TLS for operations’ in the ldap server object is set.

This parameter can be modified either through the ldapconfig utility (that gets bundled with eDirectory) or through iManager.

Through ‘ldapconfig’:

  1. Run ‘ldapconfig get’ with the necessary options to check the status of those parameters.

    Here it can be seen that the parameters ‘ldapTLSRequired’ (for all the ldap operations) and ‘Require TLS for Simple Binds with Password’ (for ldap simple binds alone) are set to yes. These are the default values and are the recommended values from the security purpose.

    For testing purposes, if the ldap operations need to proceed over the clear text channel, then these options need to be unset as follows.

  2. Unset the ‘ldapTLSRequired’ option and the ‘Require TLS for Simple Binds with Password’ option.

  3. Now run the ‘ldapconfig get’ again to verify that these options are properly unset.

    Note that the parameters ‘ldapTLSRequired’ (for all the ldap operations) and ‘Require TLS for Simple Binds with Password’ (for ldap simple binds alone) are set to ‘NO’ now.

  4. Now ldap operations over the clear text layer can be proceeded.

Through iManager:

The same thing can be configured through iManager as well as follows:

  1. Login to the tree through iManager.
  2. Go to the Directory administration tab and then to the modify object tab.
  3. Select the LDAP Server object through the object browser and click ok.

  4. Now it can be seen that the ‘Require TLS for all operations’ check box is checked.

  5. Un-check that check box and click ‘ok’.

  6. Again go back to the Directory Administration->Modify Object tab and select the LDAP group object through the object browser and click ‘OK’.

  7. You can see that “Require TLS for Simple Binds with Password” option is enabled.

  8. Un-check that and click Apply/OK.

  9. Now ldap operations over the clear text layer can proceed.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

1 Comment

  1. By:jimgoodall

    Whilst this is fine for troubleshooting / debug, I’d suggest you would not want to do this in a live environment as passwords are passed clear text over the wire, and are easily readable using a tool such as Wireshark.

    I would suggest in a live environment, certificates should be set up correctly and binds made securely on port 636.

    TID 7002343 is a good starting place ;)

    Cheers

    Jim

Comment