[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: no TLS connections

To: fabrice.eudes@free.fr
Subject: Re: no TLS connections
From: Howard Chu <hyc@symas.com>
Date: Wed, 18 Apr 2007 13:35:51 -0700
Cc: openldap-software@openldap.org
In-reply-to: <46268D91.20309@free.fr>
References: <46268D91.20309@free.fr>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9a4pre) Gecko/20070409 SeaMonkey/1.5a

Fabrice Eudes wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello everybody,
				
I am quite new to ldap and i am testing locally before setting up a new
server. Unencrypted connections are all right but i have no success with
TLS connections.

My box, a laptop, is a Debian Etch, the openldap version is 2.3.30 (the
packages installed are ldap-utils, libldap-2.3-0, libldap2 and slapd).

If needed, i can give more details, but basically i followed these steps:
1) a. set up a local certification authority (CA)
   b. created a certificate for the ldap server, signed by my CA; I took
care that the Common Name is the server FQDN.
2) a. In /etc/default/slapd, i wrote
SLAPD_SERVICES="ldap://arwen.grenier.ambre:389/
ldaps://arwen.grenier.ambre:636/" (where arwen.grenier.ambre is my
laptop FQDN)
   b. In /etc/ldap/slapd.conf, accordingly to where my files are, i wrote:
	TLSCACertificateFile    /etc/ldap/certificates/cacert.pem
	TLSCertificateFile      /etc/ldap/certificates/servercert.pem
	TLSCertificateKeyFile   /etc/ldap/certificates/serverkey.pem
	TLSVerifyClient         never
   c. In /etc/ldap/ldap.conf, i wrote:
	TLS_CACERT      /etc/ldap/certificates/cacert.pem
	TLS_REQCERT     never

I have read in openldap admin guide that the TLS_REQCERT default value
is "demand" but it isn't compulsory is it ?

If you want to have actual security, you should leave it at the default setting. I.e., don't change the TLS_REQCERT setting unless you know what you're doing.

the request Â ldapsearch -H ldap://arwen.grenier.ambre -x -D
"cn=root,dc=irem,dc=univ-lille1,dc=fr" -w secret -ZZ Â seems all right
as it returns all the directory entries but in syslog (i put Âloglevel
15Â in slapd.conf) i have the following (i added some comments to easily
spot the possible errors):


None of the items you point out in the log are errors.

I am quite sure that my setup is not totally correct as, for instance, i
successfully connect to the directory from phpLDAPadmin web interface
without TLS, but can't connect with TLS (or ldaps).

And another question :-)
What's the story with TLS_CIPHER_SUITE in ldap.conf, and TLSCipherSuite
in slapd.conf ? Do they have to be set to some value ? When i read the
admin guide, i don't understand if there is a default value or not, and
there is nothing concerning these directives in the Faq-O-Matic TLS entry.

The default value depends on how your OpenSSL library was built. Read the OpenSSL documentation for more details.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/

Follow-Ups:
- Re: no TLS connections
  - From: Fabrice Eudes <fabrice.eudes@free.fr>

References:
- no TLS connections
  - From: Fabrice Eudes <fabrice.eudes@free.fr>

Prev by Date: Re: Server Certificate Chain
Next by Date: Re: Server Certificate Chain
Index(es):
- Chronological
- Thread