[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problems with openldap2.1.4 and TLS/SSL
[ Frank Swasey ]
> ----- Original Message -----
> From: "Stefan Wurzinger" <stefan.wurzinger@greengecko.org>
> Sent: Monday, September 23, 2002 15:40
>
> > i've create the certificate with the following arguments
> > openssl req -new -x509 -nodes -out server.pem -keyout server.pem
> > -days 365
>
> Aha! You generated a self-signed certificate. That doesn't work with
> OpenLDAP 2.1! You have to have a real certificate (something
> certified by a CA).
Uhm... No, self-signed certificates should be just fine:
CA.pl -newca [press return, then answer prompts]
CA.pl -newreq [enter info you want your LDAP server to have.
Ignore "extra" attributes.
Note: you HAVE TO PUT IN A NAME for "commonName"]
CA.pl -signreq
openssl rsa -in newreq.pem -out ldapkey.pem # to remove any passphrase
chmod 0600 ldapkey.pem
mv newcert.pem ldapcert.pem
slapd.conf:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /ldap/etc/ldap-cert/ldapcert.pem
TLSCertificateKeyFile /ldap/etc/ldap-cert/ldapkey.pem
TLSCACertificateFile /ldap/etc/ldap-cert/demoCA/cacert.pem
Add "TLS_CACERT /ldap/etc/ldap-cert/demoCA/cacert.pem" in
/<path-to-openldap-tree>/etc/ldap.conf.
Works for me.
Look at http://www.openldap.org/faq/data/cache/185.html and check
older threads on the subject.
--
Mathias Meisfjordskar
GNU/Linux addict.
Debian - What your mom would use if it were twenty times easier.