OpenLDAP TLSv1.2 configuration

Question

I am trying to set up my OpenLDAP to only use TLSv1.2 and better and I am trying it with this ldif:

dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: HIGH

dn: cn=config
changetype: modify
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.3

But when I try to import it I get the following:

# ldapmodify -vvv -Y EXTERNAL -H ldapi:/// -f ./tls-only.ldif
ldap_initialize( ldapi:///??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
add olcTLSCipherSuite:
    HIGH
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)

I don't get it and can't find a solution.

PS: I already successfully imported the TLS Certs...

score 0 · Answer 1 · answered Sep 08 '21 at 11:12

First You are trying to modify two components do add a connecting character "-".

dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: HIGH
-
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.3

Secondly if you face some issue for TLSCipherSuite , Try following vales for enabling TLS 1.2 only.

SECURE256:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:-SHA1

OpenLDAP TLSv1.2 configuration

1 Answers1