[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problem with openldap/pam & tls
Hi.
You should insert some lines in slapd.conf
something like
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /usr/local/etc/openldap/ldapcert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/ldapkey.pem
TLSCACertificateFile /usr/local/etc/openldap/demoCA/cacert.pem
And you should generate key and certs for the server.
If you want to have both TLS over TCP 389 and SSL over TCP 636 (or
whatever), you should start slapd with option [-h "ldap:/// ldaps:///"].
ldaps:/// is for SSL connections over TCP 636.
Then on client side in ldap.conf you should have either (for TLS over TCP
389)
uri ldap://your.ldap.server.fqdn/
ssl start_tls
or (for SSL over TCP 636)
uri ldaps://your.ldap.server.fqdn/
port 636
ssl on
I also use the following lines in ldap.conf to CA cert location.
tls_checkpeer yes
TLS_CACERT /usr/local/etc/openldap/demoCA/cacert.pem
----- Original Message -----
From: "Ignacio Bernal" <ibernal@unav.es>
To: "openldap-software@OpenLDAP. org" <openldap-software@OpenLDAP.org>
Sent: Wednesday, June 04, 2003 6:25 PM
Subject: Problem with openldap/pam & tls
> Hi,
>
> i'm trying to configure a server (Redhat 7.3 & 2.4.20) with :
>
> openldap-2.1.17
> openssl-9.7b
> pam_ldap-161
> nss_ldap-203
>
> I'm using the following ldap.conf file :
>
> # cat ldap.conf
>
> host ldap.server.domain.con
> base o=people,dc=domain,dc=com
> scope sub
> timelimit 30
> ldap_version 3
> tls_reqcert allow
> nss_map_attribute uid mailAcceptingGeneralId
> pam_login_attribute mailAcceptingGeneralId
> ssl on
> ssl start_tls
>
> Everithing works fine until I try to use tls, at this moment the server
> lose contact with ldap server, and everything fail.
>
> Any idea ?
>
> Thanks in advance,
> Iñaki
>
>
>
>
>