[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: tls doesn't work
fre, 2003-04-04 kl. 11:17 skrev Kuba Leszewski:
> In ldap.conf, the TLS/SSL related part looks like this:
> # Netscape SDK LDAPS
> #ssl on
>
> # Netscape SDK SSL options
> #sslpath /etc/ssl/certs/cert7.db
>
> # OpenLDAP SSL mechanism
> # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
> ssl start_tls
> #ssl off
>
> # OpenLDAP SSL options
> # Require and verify server certificate (yes/no)
> # Default is "no"
> #tls_checkpeer yes
>
> # CA certificates for server certificate verification
> # At least one of these are required if tls_checkpeer is "yes"
> tls_cacertfile /usr/local/ssl/ce3-CA/certs/cacert.pem
> tls_cacertdir /usr/local/ssl/ce3-CA
>
> # SSL cipher suite
> # See man ciphers for syntax
> tls_ciphers TLSv1
>
> # Client certificate and key
> # Use these, if your server requires client authentication.
> #tls_cert
> #tls_key
What other people are writing, is that if you do (at any rate on Linux;
on Solaris, SCO OpenServer etc you'd do something else):
'strace ldapsearch 2>&1 | grep open | grep conf'
you'll see what .conf files 2.1.x (Openldap.org distros) expect, e.g.
inter alia that ldapsearch expects a
"/usr/local/etc/openldap/ldap.conf".
Now a little secret, just between you and me:
If you do:
'if [ -f /usr/local/etc/openldap/ldap.conf ]; then
mv /usr/local/etc/openldap/ldap.conf
/usr/local/etc/openldap/ldap.conf.old; fi
ln -s /etc/ldap.conf /usr/local/etc/openldap/ldap.conf', you'll see that
it doesn't make the blindest little bit of difference in practice, which
ldap.conf you use ('man ldap.conf' shows that Openldap's ldap.conf is
simply a glorified subset of the pam_ldap ldap.conf).
That's what I have, for my simple 2.1.17 installation.
Best,
Tony
--
Tony Earnshaw
e-post: tonni@billy.demon.nl
www: http://www.billy.demon.nl