Re: Problem with openldap/pam & tls

["Alexei Monastyrnyi" <alexeim@orcsoftware.com>]

Hi.
You should insert some lines in slapd.conf
something like
TLSCipherSuite          HIGH:MEDIUM:+SSLv3
TLSCertificateFile      /usr/local/etc/openldap/ldapcert.pem
TLSCertificateKeyFile   /usr/local/etc/openldap/ldapkey.pem
TLSCACertificateFile    /usr/local/etc/openldap/demoCA/cacert.pem

And you should generate key and certs for the server.
If you want to have both TLS over TCP 389 and SSL over TCP 636 (or
whatever), you should start slapd with option [-h "ldap:/// ldaps:///"].
ldaps:/// is for SSL connections over TCP 636.

Then on client side in ldap.conf you should have either (for TLS over TCP
389)

uri                     ldap://your.ldap.server.fqdn/
ssl                     start_tls

or (for SSL over TCP 636)
uri                    ldaps://your.ldap.server.fqdn/
port                   636
ssl                    on

I also use the following lines in ldap.conf to CA cert location.
tls_checkpeer           yes
TLS_CACERT              /usr/local/etc/openldap/demoCA/cacert.pem

----- Original Message -----
From: "Ignacio Bernal" <ibernal@unav.es>
To: "openldap-software@OpenLDAP. org" <openldap-software@OpenLDAP.org>
Sent: Wednesday, June 04, 2003 6:25 PM
Subject: Problem with openldap/pam & tls


> Hi,
>
> i'm trying to configure a server (Redhat 7.3 & 2.4.20) with :
>
> openldap-2.1.17
> openssl-9.7b
> pam_ldap-161
> nss_ldap-203
>
> I'm using the following ldap.conf file :
>
> # cat ldap.conf
>
> host ldap.server.domain.con
> base            o=people,dc=domain,dc=com
> scope           sub
> timelimit       30
> ldap_version    3
> tls_reqcert allow
> nss_map_attribute uid mailAcceptingGeneralId
> pam_login_attribute mailAcceptingGeneralId
> ssl on
> ssl start_tls
>
> Everithing works fine until I try to use tls, at this moment the server
> lose contact with ldap server, and everything fail.
>
> Any idea ?
>
> Thanks in advance,
> Iñaki
>
>
>
>
>