[clug] LDAP over SSL/TLS not working
Kim Holburn
kim.holburn at anu.edu.au
Sun Oct 2 23:32:52 GMT 2005
On debian systems there are 3 ldap conf files: /etc/ldap/ldap.conf, /
etc/libnss_ldap.conf and /etc/pam_ldap.conf. They are all slightly
different and have overlapping sets of configuration directives. The
names are indicative of what they are for. I guess /etc/ldap/
ldap.conf is equivalent to RH /etc/openldap/ldap.conf
On 2005 Oct 03 at 9:01 AM, Jade Barton wrote:
> On 03/10/05, Tomasz Ciolek <tmc at dreamcraft.com.au> wrote:
>
>> Jade
>>
>> Are you sure that both .conf files are used? If so, woudl it not be
>> simpler to move everyhting into the one fle?
>>
>
> I agree completely. I'm still not sure why there are two files. If I
> take the "ssl start_tls" out of /etc/ldap.conf and put it in
> /etc/openldap/ldap.conf it fails. And if I take the "TLS_REQCERT
> never" out of /etc/openldap/ldap.conf and put it in /etc/ldap.conf it
> also fails?? The documentation that Kim referred me to only mentions
> the /etc/openldap/ldap.conf file but my system definately fails if I
> try to move all the data out of the other file.
>
>
>>
>> On Mon, Oct 03, 2005 at 12:20:16AM +1000, Jade Barton wrote:
>>
>>> add it to. The system added "ssl start_tls" to the /etc/ldap.conf
>>> file but the "TLS_REQCERT never" had to be added to
>>> /etc/openldap/ldap.conf file (??). I'll have to read more on
>>> distro's
>>> specifics as the O'Reilly book mentions nothing of this. "never"
>>> was
>>> the only option that worked too.
>>>
>>
>> Ahh the CA configs for SSL certs
>>
>> I have a wholly working Certificate Auhtority setup for my OpenSSL
>>
>> The Big one with that is that you have to generate and self sign a CA
>> certificate. That ertificate MAY have it's key encrypted.
>>
>> The second step is to generate keys and certificate signing
>> requests for
>> each system that uses those and then sign them with you CA cert.
>>
>> Is that what you did?
>>
>
> That's what I think I did, which often differs from what I actually
> did ;) Here are some of the commands I ran.
>
> cd /data/myca
> /usr/share/ssl/misc/CA.pl -newca
> openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
> <entered all the details for my new key/cert here>
> /usr/share/ssl/misc/CA.pl -sign
> <I then selected the key I wanted to sign, the only one in the
> directory and followed the prompts>
>
> I then moved all three files into a seperate folder and pointed
> slapd.conf at it. I also put the cert on all the clients and pointed
> ldap.conf to that (TLS_CERT). I also tried putting the "cacert.pem"
> file on the client and pointing TLS_CACERT at it with no joy.
>
> As I said earlier the O'Reilly book I was working out of implies this
> is not required but I got the instructions from
> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#4.0
>
>
>>
>> Tomasz
>>
>> --
>> Tomasz M. Ciolek
>> *********************************************************************
>> **********
>> tmc at dreamcraft dot com dot au
>> *********************************************************************
>> **********
>> GPG Key ID: 0x41C4C2F0
>> GPG Key Fingerprint: 3883 B308 8256 2246 D3ED A1FF 3A1D 0EAD
>> 41C4 C2F0
>> Key available on www.pgp.net
>> *********************************************************************
>> **********
>>
>>
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>
--
Kim Holburn
Network and Security Manager, National ICT Australia Ltd.
Ph: +61 2 61258620 M: +61 417820641 F: +61 2 6230 6121 aim://kimholburn
Email: kim.holburn at nicta.com.au - PGP Public Key on request
callto://kholburn
Cacert Root Cert: http://www.cacert.org/cacert.crt
Aust. Spam Act: To stop receiving mail from me: reply and let me know.
Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/
datefmt.htm
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the linux
mailing list