mail us  |  mail this page

contact us
training  | 
tech stuff  | 

Chapter 6. OpenLDAP ldap.conf

The ldap.conf configuration file contains information and configuration directives used by OpenLDAP clients including where appropriate OpenLDAP utilities and is read and used by slapd when operating in client-mode, such as when acting as a consumer in a master-slave or multi-master replication configuration, the provider function in these configurations uses the values defined in cn=config (slapd.conf).

Note: Incomplete list covers only those parameters used by olcSyncrepl/syncrepl.

TLS Directives

Which TLS Client directives are used depends upon whether the TLS Client will send an X.509 certificate and validate a TLS Server certificate in which case most of the directives are required - or only validate a TLS Server certificate in which case only the TLS_CACERT and optionally the TLS_CIPHER_SUITE directives are required. The required directives used when sending a client certificate are indicated by the keyword MUTUAL (since the server will always send a certificate) and if the client only needs to validate a server certificate CLIENT.


TLS_CACERT /path/to/file.ext

CLIENT+MUTUAL. Defines the file containing the Certicate Authority (CA) certificate (a.k.a the root certificate) and allows the client to valdate the LDAP Server certificate. This file is required if either a self-signed or a commercial certicate is being used and the root certicate must be obtained from the X.509 certificate supplier or, if self-signed, copied from an appropriate location. This file is normally in PEM (Privacy enhanced Mail) format (and typically has a .pem suffix/extension or , if obtained from an MSIE browser installation, have a .cer suffix/extension). If the operational X.509 certificate (defined in TLSCertificateFile) is signed by intermediate authorities then all these certificates must be present within this PEM format file. PEM is a text format and multiple certificates can be edited into the same file in any order - see PEM format notes and samples. OpenLDAP self-signed certificate configuration examples. This file contains no sensitive information (an X.509 certificate contains only a public key).

Up Arrow


TLS_CACERTDIR /path/to/directory

CLIENT+MUTUAL. Defines the path to a Trusted Keystore managed either by Mozilla's NSS or OpenSSL. Unnecessary if TLS_CACERT defined, but if both are present TLS_CACERT is tried first.

Up Arrow


TLS_CERT /path/to/file.ext

MUTUAL. Defines the path to an X.509 certificate file that will be sent to the server in a mutual authetication exchange. Typically in PEM format (with .pem or .cer suffix/extension). This file contains no sensitive information (an X.509 certificate contains only a public key).

Up Arrow


TLS_CIPHER_SUITE cipher-list

CLIENT+MUTUAL. This is an optional directive and defaults to the value ALL (equivalent of openssl ciphers -v ALL). Defines one or more cipher suites to be used during the TLS handshake negotiation. During this negotiation the TLS Client offers a list of cipher suites and the TLS server will accept the first cipher suite defined in its list that matches one from the client. The term cipher-list used in this directive description defines a list (in OpenSSL format) that will be converted by OpenSSL libraries to a list of cipher suites in TLS/SSL format. More information about the cipher-list format may be obtained from the OpenSSL ciphers documentation. OpenLDAP self-signed certificate configuration examples.

The list of acceptable cipher-suites (and hence the cipher-list) is determined by the format of the public key contained within the X.509 certificate defined by the TLS_CERT directive if the TLS Client will send a certificate or will be obtained from the TLS Servers certificate if only Server certificate validation is to be performed or by both if mutual cerrtificate exchange takes place. Thus if the certificate(s) contain an RSA public key then only RSA public key cipher suites can be used for the key-exchange/authentication parts of the TLS handshake. If the incoming TLS Server certificate public-key encryption algorithm is unknown then ALL should be used (see commands below). Individual items in the cipher-list are separated by a colon (:), comma or space. The following is a subset of RSA TLSv1 names that could appear in a cipher-list and their equivalent TLS cipher suite text values (they are converted to hex values when sent on the wire). Note: The word EXPORT (or EXP) that appears in some of the following names refers to export strength ciphers, that is, some ciphers are only permitted in certain countries (see US Dept of Commerce Bureau of Industry and Security(BIS) and the Wassenaar Arrangement) and should be considered when configuring TLS systems that will be used internationally.

==============================          ===================
TLS_RSA_WITH_NULL_MD5                   NULL-MD5
TLS_RSA_WITH_NULL_SHA                   NULL-SHA
TLS_RSA_WITH_RC4_128_MD5                RC4-MD5
TLS_RSA_WITH_RC4_128_SHA                RC4-SHA
TLS_RSA_WITH_AES_128_CBC_SHA            AES128-SHA
TLS_RSA_WITH_AES_256_CBC_SHA            AES256-SHA

To list the cipher-list values supported by the local OpenSSL installation use:

# ALL valid ciphers 
openssl ciphers -v ALL

# ALL valid ciphers for TLSv1 only
openssl ciphers -v -tls1 ALL

# valid ciphers for TLSv1 only that use RSA
# key exchange/authentication algorithm
openssl ciphers -v -tls1 RSA

# valid ciphers for TLSv1 only that use RSA
# key exchange/authentication algorithm
# exclude export strength ciphers
openssl ciphers -v -tls1 RSA:!EXP
# NOTE: on certain shells you need to escape !
openssl ciphers -v -tls1 RSA:\!EXP

# as above but also exclude NULL suites
openssl ciphers -v -tls1 RSA:!EXP:!NULL
# NOTE: on certain shells you need to escape !
openssl ciphers -v -tls1 RSA:\!EXP:\!NULL

# valid ciphers for TLSv1 only that use RSA
# key exchange/authentication algorithm
# only export strength ciphers
openssl ciphers -v -tls1 RSA:EXP
# OR
openssl ciphers -v TLSv1+RSA:EXP

When used with TLS_CIPHER_SUITE either the generic parameters, for example RSA, shown with the openssl ciphers command above can be used (in which case the order of preference is defined by openssl) or an explicit list of ciphers can be defined in order of preference. One or more of the supported items in the cipher-list must be supported by the TLS Server. The cipher suite matching algorithm (which cipher suite is selected) is the first (highest preference) cipher suite provided by the client which is also supported by the server becomes the negotiated (session) cipher suite. The following examples use the TLSv1 (SSLv3) subset only:

# Cipher-list contains only RSA based
# authentication and key-exchange suites 
# supported by TLSv1 (and SSLv3)

# Cipher-list contains only RSA based
# authentication and key-exchange suites 
# supported by TLSv1 (and SSLv3)
# excludes EXPORT and NULL suites

# Ordered list of RSA based
# authentication and key-exchange suites

# All ciphers excluding NULL

# Default equivalent value if not defined

Note: OpenSSL supports a number of cipher suites which will result in a NULL bulk data cipher and MAC. This means that while authentication is performed securely all data is subsequently sent in the clear. To prevent this from occurring either use the !NULL value in the cipher-list or define an explicit list that excludes NULL ciphers.

Up Arrow


TLS_CRLCHECK none|peer|all

CLIENT+MUTUAL. Only relevant if OpenLDAP built with OpenSSl's CRL processing option. May take the value none (default - no CRL checking), peer (only the peer certificate is checked) or all (the whole certificate chain is checked).

Up Arrow


TLS_CRLFILE /path/to/crl/file.ext

CLIENT+MUTUAL. Only relevant if OpenLDAP built with GNU utils. Defines the path to a Certificate Revokation List (CRL).

Up Arrow


TLS_CRLKEY /path/to/key/file.ext

MUTUAL. Only relevant if the client sends a certificate to the peer in a mutual authentication sequence - it must be present if TLS_CERT is present. It defines the path to a file containing the private key associate with the certficate defined in TLS_CERT. May be in PEM (typically .pem or .key). When used with OpenSSL this file must NOT be password protected (key file are typically password protected due to the nature of their content). To remove the password, use a command similar to that shown:

# PEM format files 
# password is requested to perform key removal
# copy file2.key to OpenLAP server location 
# with minimal permssions
openssl rsa -in [file1.key] -out [file2.key]

Note: A password-less key file is extremely dangerous - if knowningly read the certificate is compromised. It should be secured with minimal access permissions on the server (0640 for user/group that runs slapd).

Up Arrow


TLS_REQCERT never|allow|try|demand|hard

CLIENT+MUTUAL. Optional, if omitted it defaults to demand. Indicates how the client handles receipt (or not) of the server's certificate. May be never (client will not request a server certificate but if received will ignore and continue connection), allow (client wiil request a certificate but connection will continue if none received and will ignore any certificate validation failure), try (client will request a certicate but connection will continue if none received but will terminate cconnection if there is a certificate validation failure), demand (client will request a certicate but connection will be terminated if none received or there is a certificate validation failure) or hard (synonym for demand).

Up Arrow

Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.


tech info
guides home
1 objectives
big picture
2 concepts
3 ldap objects
4 install ldap
5 samples
6 configuration
7 replica & refer
8 ldif
9 protocol
10 ldap api
11 howtos
12 trouble
13 performance
14 ldap tools
15 security
notes & info
ldap resources
rfc's & x.500
ldap objects
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox




Icons made by Icomoon from is licensed by CC 3.0 BY
share page via facebook tweet this page


email us Send to a friend feature print this page Display full width page Decrease font size Increase font size



Debian Linux


GNU-Free SW Foundation


Open Source Initiative
Creative Commons


Ibiblio - Library
Open Book Project
Open Directory


CSS Technology SPF Record Conformant Domain
Copyright © 1994 - 2018 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
Hosted by
web-master at zytrax
Page modified: April 18 2018.