[clug] LDAP over SSL/TLS not working

Jade Barton jade.barton at gmail.com
Sun Oct 2 23:47:55 GMT 2005 

Kim,
Yep, that worked, thanks. /etc/ldap.conf & /etc/openldap/ldap.conf
(hard linked):
URI ldap://mustafa.gredil.net/
BASE dc=gredil,dc=net
ssl start_tls
TLS_REQCERT never

Jade

On 03/10/05, Kim Holburn <kim.holburn at anu.edu.au> wrote:
> Can you try putting both lines in both files?  If that works make
> them a hard link.
>
> On 2005 Oct 03 at 9:01 AM, Jade Barton wrote:
> > On 03/10/05, Tomasz Ciolek <tmc at dreamcraft.com.au> wrote:
> >
> >> Jade
> >>
> >> Are you sure that both .conf files are used? If so, woudl it not be
> >> simpler to move everyhting into the one fle?
> >>
> >
> > I agree completely.  I'm still not sure why there are two files.  If I
> > take the "ssl start_tls" out of /etc/ldap.conf and put it in
> > /etc/openldap/ldap.conf it fails.  And if I take the "TLS_REQCERT
> > never" out of /etc/openldap/ldap.conf and put it in /etc/ldap.conf it
> > also fails??  The documentation that Kim referred me to only mentions
> > the /etc/openldap/ldap.conf file but my system definately fails if I
> > try to move all the data out of the other file.
> >
> >
> >>
> >> On Mon, Oct 03, 2005 at 12:20:16AM +1000, Jade Barton wrote:
> >>
> >>> add it to.  The system added "ssl start_tls" to the /etc/ldap.conf
> >>> file but the "TLS_REQCERT never" had to be added to
> >>> /etc/openldap/ldap.conf file (??).  I'll have to read more on
> >>> distro's
> >>> specifics as the O'Reilly book mentions nothing of this.  "never"
> >>> was
> >>> the only option that worked too.
> >>>
> >>
> >> Ahh the CA configs for SSL certs
> >>
> >> I have a wholly working Certificate Auhtority setup for my OpenSSL
> >>
> >> The Big one with that is that you have to generate and self sign a CA
> >> certificate. That ertificate MAY have it's key encrypted.
> >>
> >> The second step is to generate keys and certificate signing
> >> requests for
> >> each system that uses those and then sign them with you CA cert.
> >>
> >> Is that what you did?
> >>
> >
> > That's what I think I did, which often differs from what I actually
> > did ;)  Here are some of the commands I ran.
> >
> > cd /data/myca
> > /usr/share/ssl/misc/CA.pl -newca
> > openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
> > <entered all the details for my new key/cert here>
> > /usr/share/ssl/misc/CA.pl -sign
> > <I then selected the key I wanted to sign, the only one in the
> > directory and followed the prompts>
> >
> > I then moved all three files into a seperate folder and pointed
> > slapd.conf at it.  I also put the cert on all the clients and pointed
> > ldap.conf to that (TLS_CERT).  I also tried putting the "cacert.pem"
> > file on the client and pointing TLS_CACERT at it with no joy.
> >
> > As I said earlier the O'Reilly book I was working out of implies this
> > is not required but I got the instructions from
> > http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#4.0
> >
> >
> >>
> >> Tomasz
> >>
> >> --
> >> Tomasz M. Ciolek
> >> *********************************************************************
> >> **********
> >>  tmc at dreamcraft dot com dot au
> >> *********************************************************************
> >> **********
> >>    GPG Key ID:          0x41C4C2F0
> >>    GPG Key Fingerprint: 3883 B308 8256 2246 D3ED  A1FF 3A1D 0EAD
> >> 41C4 C2F0
> >>    Key available on www.pgp.net
> >> *********************************************************************
> >> **********
> >>
> >>
> > --
> > linux mailing list
> > linux at lists.samba.org
> > https://lists.samba.org/mailman/listinfo/linux
> >
>
> --
> Kim Holburn
> Network and Security Manager, National ICT Australia Ltd.
> Ph: +61 2 61258620 M: +61 417820641  F: +61 2 6230 6121 aim://kimholburn
> Email: kim.holburn at nicta.com.au  - PGP Public Key on request
> callto://kholburn
> Cacert Root Cert: http://www.cacert.org/cacert.crt
> Aust. Spam Act: To stop receiving mail from me: reply and let me know.
>
> Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/
> datefmt.htm
> Democracy imposed from without is the severest form of tyranny.
>                            -- Lloyd Biggle, Jr. Analog, Apr 1961
>
>
>

More information about the linux mailing list