[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
How to Force TLS/SSL connection Only ?
Hi all,
(system: RH7.3 with openldap 2.0.25)
My ldap server doesn't want to allow anonymous access and
only allow client's access with valid certificates.
I have added TLS configuration lines in slapd.conf :
################ Begin ###################################
TLSCertificateFile /usr/local/etc/openldap/server.crt
TLSCertificateKeyFile /usr/local/etc/openldap/server.key
TLSCACertificateFile /usr/share/ssl/misc/demoCA/cacert.pem
TLSVerifyClient demand
################ End ####################################
And in ldap.conf ,add:
################# Begin ###############################
TLS_CACERT /usr/share/ssl/misc/demoCA/cacert.pem
TLS hard
################## end ################################
In valid client's ".ldaprc" file :
################### Begin ##############################
TLS_CERT /home/globus/ldapcert/user.crt
TLS_KEY /home/globus/ldapcert/user.key
#################### End ###############################
Then, I started ldap server/TLS/SSL as:
$slapd -h "ldap:/// ldaps:///" -d 512
But when I can get all right contents of the ldap server by the "Soffterra LDAP Browser" in anonymous :( Why?
Should I add some other "access control"?
While ,I run the commands:
(1) $ldapsearch -x -H "ldap://my_ldap_server_FQDN:389" -b "o=MyTest,c=CN" -s sub "(objectclass=*)" -v
ldap_initialize( ldap://moon.rd.sdb.ac.cn )
ldap_bind: Can't contact LDAP server
(2) $ldapsearch -x -H "ldaps://my_ldap_server_FQDN:636" -b "o=MyTest,c=CN" -s sub "(objectclass=*)" attributeType -v
ldap_initialize( ldaps://my_ldap_server_FQDN:636 )
filter: (objectclass=*)
requesting: attributeType
dn: o=MyTest,c=CN
dn: cn=Manager,o=MyTest,c=CN
>From above results,I think,the TLS connection in port 636 is working well ,but in port 389,the connection is refused.
BTW: What's meaning of the option "-x" in command "ldapsearch" ? "Simple Authentication"? It's different from "Anonymous",but why it need not userid&password ?
Thanks in advance.(Maybe so many questions :( )
Best,
Zhang Fei
zhfei@sdb.ac.cn
2002-11-24
===========================================================
R&D of SDB Department
CNIC,CAS,Beijing of CHINA
100080