Re: Problems with openldap2.1.4 and TLS/SSL

[Mathias Meisfjordskar <mathias.meisfjordskar@usit.uio.no>]

[ Frank Swasey ]

> ----- Original Message -----
> From: "Stefan Wurzinger" <stefan.wurzinger@greengecko.org>
> Sent: Monday, September 23, 2002 15:40
> 
> > i've create the certificate with the following arguments 
> > openssl req -new -x509 -nodes -out server.pem -keyout server.pem 
> > -days 365
> 
> Aha! You generated a self-signed certificate. That doesn't work with
> OpenLDAP 2.1! You have to have a real certificate (something
> certified by a CA).

Uhm... No, self-signed certificates should be just fine:

CA.pl -newca  [press return, then answer prompts]
CA.pl -newreq [enter info you want your LDAP server to have.
              Ignore "extra" attributes.
              Note: you HAVE TO PUT IN A NAME for "commonName"]
CA.pl -signreq
openssl rsa -in newreq.pem -out ldapkey.pem # to remove any passphrase
chmod 0600 ldapkey.pem
mv newcert.pem ldapcert.pem

slapd.conf:

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /ldap/etc/ldap-cert/ldapcert.pem
TLSCertificateKeyFile /ldap/etc/ldap-cert/ldapkey.pem
TLSCACertificateFile /ldap/etc/ldap-cert/demoCA/cacert.pem

Add "TLS_CACERT /ldap/etc/ldap-cert/demoCA/cacert.pem" in
/<path-to-openldap-tree>/etc/ldap.conf.

Works for me.

Look at http://www.openldap.org/faq/data/cache/185.html and check
older threads on the subject.


-- 
Mathias Meisfjordskar

GNU/Linux addict.
Debian - What your mom would use if it were twenty times easier.