[Date Prev][Date Next] [Chronological] [Thread] [Top]

first posting, question on ssl/tls configuration



Hi,

i am trying to configure a freebsd  5.3-release machine to be a ldap
server. i am having difficulties with the ssl/tls part. i have googled
and read documentation for hours, so please any help would be much
apreciated. I went to the FAQ (which i discuss at the bottom of the
post) and i would greatly apreciate any help or a point in the right
direction before i tear all my hair out. thanks!

can someone share why ldap without TLS is insecure and if it's a major
security risk or explain brielfy the difference. my understanding is
that many people use ldap without using ssl/tls?


  i installed openldap22-client, openldap22-server, nss_ldap and pam_ldap 
  through ports.  

  i can get a machine that is *not* the ldap server to search the ldap directory

        [user@notservercompute ~]$ ldapsearch -h tux
        # extended LDIF
        # search result
        search: 2
        result: 32 No such object
        # numResponses: 1

   but when i try to access it through the secure port, it fails:

         [usern@notservercompute ~]$ ldapsearch -h tux -p 636
          ldap_bind: Can't contact LDAP server (81)

i call ldap in the following way: 

tux# /usr/local/libexec/slapd -f /usr/local/etc/openldap/slapd.conf -h
"ldaps:/// ldap:///";

am i generating the certificates incorrectly? accordin to the O'reily
"LDAP System Administration"  book i used:

    #CA.pl -newcert

i generated the certificate, but didn't seem to work. and ldap would
actually not start if i added the certificate information.

i read on http://www.openldap.org/faq/data/cache/185.html (the faq's)
about generating certifcates. so tried using CA.sh, but i got some
error messages because i'm an idiot and didn't run the "CA.sh
-newca"first. now CA.sh won't execute at all. is there a way to reset
CA.sh or any reason it's broken?

what needs to be done on the client side for the connection to be
secure?  what am i doing so horribly wrong on generating the
certifcates? do i need to generate certificates on each client as well
and then add that to the client's ldap.conf file?

THANKS! i'm desperate!

_panda