[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP w/ TLS/SSL connection setup on dynamic hosts
"Luke St.Clair" <clairst@uiuc.edu> writes:
> Is there any way to set up SSL/TLS connections (no client
> verification/authentication, just encryption of the data stream) to an
> openldap host whose IP address changes?
Yes
> I've created a self-signed cert, with the correct FQDN placed in the
> certificate. I use dyndns.org to update by hostname, so though it is
> dynamic, it is correct. However, I can't control my reverse DNS, and
> currently, even though I have the CA Cert I used to self-sign my cert
> with on the client machine, with TLS_REQCERT allow, and TLS_CACERT
> pointing to a local copy of the cert, when I try to use ldapsearch to
> the machine, i get:
>
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> additional info: TLS: hostname does not match CN in peer
> certificate
>
> What i'm wondering is if this is even possible if you can't control the
> reverse DNS, or if i've just messed something up along the way.
>
> I've included, in my slapd.conf:
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile /etc/ssl/certs/slapd-cert.pem
> TLSCACertificateFile /etc/ssl/certs/slapd-cert.pem
> TLSCertificateKeyFile /etc/ssl/private/slapd-key.pem
> TLSVerifyClient never
What you want is a TLS session without integrity check, that is just
transport encryption.
,----[ slapd.conf ]
| TLSCertificateFile /path/to/host-cert.pem
| TLSCertificateKeyFile /path/to/host-key.pem
`----
,----[ ldap.conf ]
| TLS_REQCERT never
`----
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:01443B53