[clug] LDAP over SSL/TLS not working

Kim Holburn kim.holburn at anu.edu.au
Sun Oct 2 23:32:52 GMT 2005


On debian systems there are 3 ldap conf files: /etc/ldap/ldap.conf, / 
etc/libnss_ldap.conf and /etc/pam_ldap.conf.  They are all slightly  
different and have overlapping sets of configuration directives.  The  
names are indicative of what they are for.  I guess /etc/ldap/ 
ldap.conf is equivalent to RH /etc/openldap/ldap.conf

On 2005 Oct 03 at 9:01 AM, Jade Barton wrote:
> On 03/10/05, Tomasz Ciolek <tmc at dreamcraft.com.au> wrote:
>
>> Jade
>>
>> Are you sure that both .conf files are used? If so, woudl it not be
>> simpler to move everyhting into the one fle?
>>
>
> I agree completely.  I'm still not sure why there are two files.  If I
> take the "ssl start_tls" out of /etc/ldap.conf and put it in
> /etc/openldap/ldap.conf it fails.  And if I take the "TLS_REQCERT
> never" out of /etc/openldap/ldap.conf and put it in /etc/ldap.conf it
> also fails??  The documentation that Kim referred me to only mentions
> the /etc/openldap/ldap.conf file but my system definately fails if I
> try to move all the data out of the other file.
>
>
>>
>> On Mon, Oct 03, 2005 at 12:20:16AM +1000, Jade Barton wrote:
>>
>>> add it to.  The system added "ssl start_tls" to the /etc/ldap.conf
>>> file but the "TLS_REQCERT never" had to be added to
>>> /etc/openldap/ldap.conf file (??).  I'll have to read more on  
>>> distro's
>>> specifics as the O'Reilly book mentions nothing of this.  "never"  
>>> was
>>> the only option that worked too.
>>>
>>
>> Ahh the CA configs for SSL certs
>>
>> I have a wholly working Certificate Auhtority setup for my OpenSSL
>>
>> The Big one with that is that you have to generate and self sign a CA
>> certificate. That ertificate MAY have it's key encrypted.
>>
>> The second step is to generate keys and certificate signing  
>> requests for
>> each system that uses those and then sign them with you CA cert.
>>
>> Is that what you did?
>>
>
> That's what I think I did, which often differs from what I actually
> did ;)  Here are some of the commands I ran.
>
> cd /data/myca
> /usr/share/ssl/misc/CA.pl -newca
> openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
> <entered all the details for my new key/cert here>
> /usr/share/ssl/misc/CA.pl -sign
> <I then selected the key I wanted to sign, the only one in the
> directory and followed the prompts>
>
> I then moved all three files into a seperate folder and pointed
> slapd.conf at it.  I also put the cert on all the clients and pointed
> ldap.conf to that (TLS_CERT).  I also tried putting the "cacert.pem"
> file on the client and pointing TLS_CACERT at it with no joy.
>
> As I said earlier the O'Reilly book I was working out of implies this
> is not required but I got the instructions from
> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#4.0
>
>
>>
>> Tomasz
>>
>> --
>> Tomasz M. Ciolek
>> ********************************************************************* 
>> **********
>>  tmc at dreamcraft dot com dot au
>> ********************************************************************* 
>> **********
>>    GPG Key ID:          0x41C4C2F0
>>    GPG Key Fingerprint: 3883 B308 8256 2246 D3ED  A1FF 3A1D 0EAD  
>> 41C4 C2F0
>>    Key available on www.pgp.net
>> ********************************************************************* 
>> **********
>>
>>
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>

-- 
Kim Holburn
Network and Security Manager, National ICT Australia Ltd.
Ph: +61 2 61258620 M: +61 417820641  F: +61 2 6230 6121 aim://kimholburn
Email: kim.holburn at nicta.com.au  - PGP Public Key on request   
callto://kholburn
Cacert Root Cert: http://www.cacert.org/cacert.crt
Aust. Spam Act: To stop receiving mail from me: reply and let me know.

Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/ 
datefmt.htm
Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961




More information about the linux mailing list