Re: TLS/SSL and self-signed certificates

["Dieter Kluenter" <dieter@dkluenter.de>]

Rick Stevens <rps2@socal.rr.com> writes:

> Dieter Kluenter wrote:
>> Rick Stevens <rps2@socal.rr.com> writes:
>>
>>> Dieter Kluenter wrote:
[...]
>> This is only the content of slapd.conf, the relevant content of
>> ldap.conf(5) is still missing, ldapsearch requires at least the path
>> to CA, further information on the level of certificate checks and the
>> prefered cipher suits are recommended options.
>
> Terribly sorry, misread your message.  I had posted my ldap.conf before,
> but here it is again:
>
> 	host 192.168.1.53
> 	base dc=eqspeed,dc=com
> 	rootbinddn uid=sysman,ou=people,dc=eqspeed,dc=com
> 	timelimit 15
> 	bind_timelimit 10
> 	bind_policy soft
> 	pam_lookup_policy yes
> 	pam_password clear_remove_old
> 	nss_base_passwd		ou=People,dc=eqspeed,dc=com?one
> 	nss_base_shadow		ou=People,dc=eqspeed,dc=com?one
> 	nss_base_group		ou=Group,dc=eqspeed,dc=com?one
> 	nss_base_hosts		ou=Hosts,dc=eqspeed,dc=com?one
> 	ssl start_tls
> 	ssl on
> 	#tls_cacertdir /etc/openldap/cacerts
> 	tls_cacertfile /etc/openldap/cacerts/allcerts.pem
> 	tls_reqcert never

That's what I thought, this is the wrong ldap.conf, read man
ldap.conf(5).

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E