#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

ssl start_tls
TLS_REQCERT never

# The following provides modern TLS configuration that guarantees forward-
# secrecy and efficiency. This configuration drops support for old operating
# systems (Windows Server 2008 R2 and earlier).
# To add support for Windows Server 2008 R2 set TLS_PROTOCOL_MIN to 3.1 and
# add these ciphers to TLS_CIPHER_SUITE:
#     ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:
#     ECDHE-RSA-AES128-SHA

# TLS_PROTOCOL_MIN: 3.1 for TLSv1.0, 3.2 for TLSv1.1, 3.3 for TLSv1.2.
TLS_PROTOCOL_MIN 3.3
TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

#TLS_CACERT absolute path to trusted certificate of LDAP server. For example /opt/splunk/etc/openldap/certs/mycertificate.pem
#TLS_CACERTDIR absolute path to directory that contains trusted certificates of LDAP server. For example /opt/splunk/etc/openldap/certs