Re: openldap 2.1.30 + gentoo +ssl [self signed problem again]

[Jose Gonzalez Gomez <jgonzalez@opentechnet.com>]

Florin Angelescu wrote:

> On Thursday 25 November 2004 12:50, you wrote:
>  
>
> > 1) Could you add Fully Qualified Domain Name and IP address of LDAP server
> > into /etc/hosts of LDAP client, in case your DNS could not resolve properly
> > the FQDN on which CA Cert and OpenSSL is depending, and make sure you have
> > "hosts: files dns" in /etc/nsswitch.conf.
> >    
> already did
>
>  
>
> > 2) I don't understand this line:
> > security simple_bind=64
> > If you don't need it and remove it, after restarting LDAP server, will it
> > help?
> > but your "ldapsearch -Z" is using the default SASL bind?
> >    
> indeed
>  
   That option controls the security strength factor required for 
simple authentication, so I think if you remove it you're letting your 
users to do simple bind transmitting their passwords over the wire 
without any encryption. Are you sure you're still using TLS/SSL to 
protect simple binds?

   ldapsearch by default uses SASL authentication, to force simple 
binds you must use the -x option.

   Have you tried the solution I gave you in a previous post? In 
addition, you should change your TLS certs section of slapd.conf to 
somthing like this:

TLSCACertificatePath    /etc/ssl/certs
TLSCertificateFile /etc/openldap/servercert.pem
TLSCertificateKeyFile /etc/openldap/serverkey.pem

   HTH, best regards
   Jose