-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello everybody,
I am quite new to ldap and i am testing locally before setting up a new
server. Unencrypted connections are all right but i have no success with
TLS connections.
My box, a laptop, is a Debian Etch, the openldap version is 2.3.30 (the
packages installed are ldap-utils, libldap-2.3-0, libldap2 and slapd).
If needed, i can give more details, but basically i followed these steps:
1) a. set up a local certification authority (CA)
b. created a certificate for the ldap server, signed by my CA; I took
care that the Common Name is the server FQDN.
2) a. In /etc/default/slapd, i wrote
SLAPD_SERVICES="ldap://arwen.grenier.ambre:389/
ldaps://arwen.grenier.ambre:636/" (where arwen.grenier.ambre is my
laptop FQDN)
b. In /etc/ldap/slapd.conf, accordingly to where my files are, i wrote:
TLSCACertificateFile /etc/ldap/certificates/cacert.pem
TLSCertificateFile /etc/ldap/certificates/servercert.pem
TLSCertificateKeyFile /etc/ldap/certificates/serverkey.pem
TLSVerifyClient never
c. In /etc/ldap/ldap.conf, i wrote:
TLS_CACERT /etc/ldap/certificates/cacert.pem
TLS_REQCERT never
I have read in openldap admin guide that the TLS_REQCERT default value
is "demand" but it isn't compulsory is it ?
the request  ldapsearch -H ldap://arwen.grenier.ambre -x -D
"cn=root,dc=irem,dc=univ-lille1,dc=fr" -w secret -ZZ Â seems all right
as it returns all the directory entries but in syslog (i put Âloglevel
15Â in slapd.conf) i have the following (i added some comments to easily
spot the possible errors):
And another question :-)
What's the story with TLS_CIPHER_SUITE in ldap.conf, and TLSCipherSuite
in slapd.conf ? Do they have to be set to some value ? When i read the
admin guide, i don't understand if there is a default value or not, and
there is nothing concerning these directives in the Faq-O-Matic TLS entry.