[Date Prev][Date Next] [Chronological] [Thread] [Top]

How to Force TLS/SSL connection Only ?



Hi all, 
     (system: RH7.3 with openldap 2.0.25)

     My ldap server doesn't want to allow anonymous access and 
only allow client's access with valid certificates.
     I have added TLS configuration lines in slapd.conf :

################ Begin ###################################
TLSCertificateFile    /usr/local/etc/openldap/server.crt
TLSCertificateKeyFile /usr/local/etc/openldap/server.key
TLSCACertificateFile  /usr/share/ssl/misc/demoCA/cacert.pem
TLSVerifyClient       demand
################ End  ####################################

And in ldap.conf ,add:
################# Begin ###############################
TLS_CACERT      /usr/share/ssl/misc/demoCA/cacert.pem
TLS             hard
################## end ################################

In valid client's ".ldaprc" file :
################### Begin ##############################
TLS_CERT        /home/globus/ldapcert/user.crt
TLS_KEY         /home/globus/ldapcert/user.key
#################### End ###############################

Then, I started ldap server/TLS/SSL as:
  $slapd -h "ldap:/// ldaps:///" -d 512

But when I can get all right contents of the ldap server by the "Soffterra LDAP Browser" in anonymous :( Why?
Should I add some other "access control"?

While ,I run the commands:
(1) $ldapsearch  -x -H "ldap://my_ldap_server_FQDN:389"; -b "o=MyTest,c=CN" -s sub "(objectclass=*)" -v   
   ldap_initialize( ldap://moon.rd.sdb.ac.cn )
   ldap_bind: Can't contact LDAP server

(2) $ldapsearch  -x -H "ldaps://my_ldap_server_FQDN:636" -b "o=MyTest,c=CN" -s sub "(objectclass=*)" attributeType -v
   ldap_initialize( ldaps://my_ldap_server_FQDN:636 )
   filter: (objectclass=*)
   requesting: attributeType 
   dn: o=MyTest,c=CN
   dn: cn=Manager,o=MyTest,c=CN    

>From above results,I think,the TLS connection in  port 636 is working well ,but in port 389,the connection is refused.

BTW: What's meaning of the option "-x" in command "ldapsearch" ? "Simple Authentication"? It's different from "Anonymous",but why it need not userid&password ?
   	
Thanks in advance.(Maybe so many questions :(   )


Best, 				

Zhang Fei
zhfei@sdb.ac.cn
2002-11-24

===========================================================
R&D of SDB Department
CNIC,CAS,Beijing of CHINA
100080