[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap on Centos 5.1 with TLS



My advice, from a novice user stand point, is to get everything working
without TLS first.  Make sure your systems can authenticate and
everything is functioning.  If your environment is not secure, then
build a test environment (resources pending).

Once you have done this, then work on TLS.  

In my ldap.conf file, I have an entry like this:

TLS_CACERTDIR /etc/openldap/cacerts

In this directory I put a file called ca.crt, which is my certificate of
authority if I am not mistaken.  

On the server in my slapd.conf file, I put the following entries:

TLSCertificateFile /etc/openldap/cacerts/serverhostname.local.crt
TLSCertificateKeyFile /etc/openldap/cacerts/serverhostname.local.key
TLSCACertificateFile /etc/openldap/cacerts/ca.crt
TLSVerifyClient never

Make sure your server certificate's CN is the same as the hostname of
your LDAP server.  As far as I understand, you need this in order for
TLS to work correctly (Someone correct me if I am wrong).  

That should be it.  You should have TLS working.  Fire up your favorite
packet scanner, ngrep, wireshark and test to make sure the data is
encrypted.  You can also use openssl client to connect the ldap server
and see if TLS is working too.

Are you having a specific problem?  The documentation seems pretty clear
on how to set this up.  BTW, I am using CENTOS 5.1/4.6 in my environment
and I have had really good luck with LDAP.  We used to be a NIS
environment about a year ago.  



-  
Randall Svancara
Systems Administrator
509-335-7093


On Tue, 2008-04-01 at 23:01 +0200, David HlÃÄik wrote:
> Hi, sorry for the stupid question,
>  
> but however i am following all howtos and tutorials it is not working
>  
> 1) i have created CA certificate - /etc/pki/tls/misc/CA -newca
> 2) i have generated a new request - /etc/pki/tls/misc/CA -newreq
> 3) i have signed certificate /etc/pki/tls/misc/CA -signreq
>  
> SO i have CA in /etc/pki/CA
> i have newkey.pem
> i have newcert.pem
> i have also cealrkey.pem (without passphrase) 
> 
> $ openssl rsa < newkey.pem > clearkey.pem
> 
> What to do next?? What to put in slapd.conf in order to make it work??
> What to put in ldap.conf in order to communicate
> 
> Really thanks in advance!!
> 
> David
> 
>