[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with tsl/ssl





Susanne Benkert wrote:
Thank you for your fast reply.


Stig Venaas wrote:

I have already tried this on the LDAP-Server itself: ldapsearch -ZZ -d
127 "cn=*" - but it seems, that only parts of the traffic are encypted.
What you see in clear text is perhaps just the server certificate?

I don't think so, because I can read my LDAP-entries in cleartext in the
debug output. But there is no error message which shows than somethimng
with TLS went wrong. *?*
You will always see that. As said Kyle, try to tcpdump, tcpflow, snoop or whatever (depending on your system) to see if data is transfered using tls or not (try    tcpflow -i lo -c).

Nearly the same did I.
But I have (a quite stupid) question: What means the "FQDN" of the
Server? My server-root (base) of the ldap directory is
"ou=abteilung,ou=institut,o=organisation,c=de" and my server "host04".
Is the NQDN in this case "host04.abteilung.institut,organisation,de"? I
only used "host04" as Common Name in the Certificate. Could this be my
mistake?

When creating the key file, you're asked for country, city... and "your OWN name" (CN). Just put the hostname there. 'hostname' failed for me. I put my full qualified hostname : "bjork.admin.kapt.com" (as found in /etc/hosts)

I read somewhere that the name in the certificat was just checked at startup... so normaly it does not matter if you ldapsearch on localhost or your real host (or IP)

don't forget to start slapd as :       slapd -h 'ldap:/// ldaps:///'

I ldapsearch with just one '-Z' (not '-ZZ') like :

ldapsearch -H ldaps://bjork.admin.kapt.com  -b "dc=kaptech,dc=com" -D "cn=manager,dc=kaptech,dc=com" -w password
or
ldapsearch -H ldap://bjork.admin.kapt.com  -b "dc=kaptech,dc=com" -D "cn=manager,dc=kaptech,dc=com" -w password -Z

(I was not able to ldapsearch on port 636 thought...)

it seems everything is encrypted.... finaly :)

Cheers,

Prune