[clug] LDAP over SSL/TLS not working
Jade Barton
jade.barton at gmail.com
Sun Oct 2 23:01:41 GMT 2005
On 03/10/05, Tomasz Ciolek <tmc at dreamcraft.com.au> wrote:
> Jade
>
> Are you sure that both .conf files are used? If so, woudl it not be
> simpler to move everyhting into the one fle?
I agree completely. I'm still not sure why there are two files. If I
take the "ssl start_tls" out of /etc/ldap.conf and put it in
/etc/openldap/ldap.conf it fails. And if I take the "TLS_REQCERT
never" out of /etc/openldap/ldap.conf and put it in /etc/ldap.conf it
also fails?? The documentation that Kim referred me to only mentions
the /etc/openldap/ldap.conf file but my system definately fails if I
try to move all the data out of the other file.
>
> On Mon, Oct 03, 2005 at 12:20:16AM +1000, Jade Barton wrote:
> > add it to. The system added "ssl start_tls" to the /etc/ldap.conf
> > file but the "TLS_REQCERT never" had to be added to
> > /etc/openldap/ldap.conf file (??). I'll have to read more on distro's
> > specifics as the O'Reilly book mentions nothing of this. "never" was
> > the only option that worked too.
>
> Ahh the CA configs for SSL certs
>
> I have a wholly working Certificate Auhtority setup for my OpenSSL
>
> The Big one with that is that you have to generate and self sign a CA
> certificate. That ertificate MAY have it's key encrypted.
>
> The second step is to generate keys and certificate signing requests for
> each system that uses those and then sign them with you CA cert.
>
> Is that what you did?
That's what I think I did, which often differs from what I actually
did ;) Here are some of the commands I ran.
cd /data/myca
/usr/share/ssl/misc/CA.pl -newca
openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
<entered all the details for my new key/cert here>
/usr/share/ssl/misc/CA.pl -sign
<I then selected the key I wanted to sign, the only one in the
directory and followed the prompts>
I then moved all three files into a seperate folder and pointed
slapd.conf at it. I also put the cert on all the clients and pointed
ldap.conf to that (TLS_CERT). I also tried putting the "cacert.pem"
file on the client and pointing TLS_CACERT at it with no joy.
As I said earlier the O'Reilly book I was working out of implies this
is not required but I got the instructions from
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#4.0
>
> Tomasz
>
> --
> Tomasz M. Ciolek
> *******************************************************************************
> tmc at dreamcraft dot com dot au
> *******************************************************************************
> GPG Key ID: 0x41C4C2F0
> GPG Key Fingerprint: 3883 B308 8256 2246 D3ED A1FF 3A1D 0EAD 41C4 C2F0
> Key available on www.pgp.net
> *******************************************************************************
>
More information about the linux
mailing list