Re: OpenLDAP w/ TLS/SSL connection setup on dynamic hosts

["Dieter Kluenter" <dieter@dkluenter.de>]

"Luke St.Clair" <clairst@uiuc.edu> writes:

> Is there any way to set up SSL/TLS connections (no client
> verification/authentication, just encryption of the data stream) to an
> openldap host whose IP address changes?

Yes

> I've created a self-signed cert, with the correct FQDN placed in the
> certificate.  I use dyndns.org to update by hostname, so though it is
> dynamic, it is correct.  However, I can't control my reverse DNS, and
> currently, even though I have the CA Cert I used to self-sign my cert
> with on the client machine, with TLS_REQCERT allow, and TLS_CACERT
> pointing to a local copy of the cert, when I try to use ldapsearch to
> the machine, i get:
>
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>         additional info: TLS: hostname does not match CN in peer
> certificate
>
> What i'm wondering is if this is even possible if you can't control the
> reverse DNS, or if i've just messed something up along the way.
>
> I've included, in my slapd.conf:
>
> TLSCipherSuite             HIGH:MEDIUM:+SSLv2
> TLSCertificateFile         /etc/ssl/certs/slapd-cert.pem
> TLSCACertificateFile    /etc/ssl/certs/slapd-cert.pem
> TLSCertificateKeyFile      /etc/ssl/private/slapd-key.pem
> TLSVerifyClient never

What you want is a TLS session without integrity check, that is just
transport encryption.

,----[ slapd.conf ]
| TLSCertificateFile      /path/to/host-cert.pem
| TLSCertificateKeyFile   /path/to/host-key.pem
`----

,----[ ldap.conf ]
| TLS_REQCERT never
`----

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:01443B53