[clug] LDAP over SSL/TLS not working

Jade Barton jade.barton at gmail.com
Sun Oct 2 23:01:41 GMT 2005

On 03/10/05, Tomasz Ciolek <tmc at dreamcraft.com.au> wrote:
> Jade
> Are you sure that both .conf files are used? If so, woudl it not be
> simpler to move everyhting into the one fle?

I agree completely.  I'm still not sure why there are two files.  If I
take the "ssl start_tls" out of /etc/ldap.conf and put it in
/etc/openldap/ldap.conf it fails.  And if I take the "TLS_REQCERT
never" out of /etc/openldap/ldap.conf and put it in /etc/ldap.conf it
also fails??  The documentation that Kim referred me to only mentions
the /etc/openldap/ldap.conf file but my system definately fails if I
try to move all the data out of the other file.

> On Mon, Oct 03, 2005 at 12:20:16AM +1000, Jade Barton wrote:
> > add it to.  The system added "ssl start_tls" to the /etc/ldap.conf
> > file but the "TLS_REQCERT never" had to be added to
> > /etc/openldap/ldap.conf file (??).  I'll have to read more on distro's
> > specifics as the O'Reilly book mentions nothing of this.  "never" was
> > the only option that worked too.
> Ahh the CA configs for SSL certs
> I have a wholly working Certificate Auhtority setup for my OpenSSL
> The Big one with that is that you have to generate and self sign a CA
> certificate. That ertificate MAY have it's key encrypted.
> The second step is to generate keys and certificate signing requests for
> each system that uses those and then sign them with you CA cert.
> Is that what you did?

That's what I think I did, which often differs from what I actually
did ;)  Here are some of the commands I ran.

cd /data/myca
/usr/share/ssl/misc/CA.pl -newca
openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
<entered all the details for my new key/cert here>
/usr/share/ssl/misc/CA.pl -sign
<I then selected the key I wanted to sign, the only one in the
directory and followed the prompts>

I then moved all three files into a seperate folder and pointed
slapd.conf at it.  I also put the cert on all the clients and pointed
ldap.conf to that (TLS_CERT).  I also tried putting the "cacert.pem"
file on the client and pointing TLS_CACERT at it with no joy.

As I said earlier the O'Reilly book I was working out of implies this
is not required but I got the instructions from

> Tomasz
> --
> Tomasz M. Ciolek
> *******************************************************************************
>  tmc at dreamcraft dot com dot au
> *******************************************************************************
>    GPG Key ID:          0x41C4C2F0
>    GPG Key Fingerprint: 3883 B308 8256 2246 D3ED  A1FF 3A1D 0EAD 41C4 C2F0
>    Key available on www.pgp.net
> *******************************************************************************

More information about the linux mailing list