[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
open LDAP + TLS/SSL mini draft howto
Vijay,
This may help.
Check that each file is properly readable
Best
---
Olivier
---------- Forwarded message ----------
From: Olivier <ldap@guillard.nom.fr>
Date: Thu, Aug 11, 2011 at 2:23 PM
Subject: tls extra mini howto
To: openldap-technical@openldap.org
Having spent quite some time to make a TLS work
I thought this may be usefull to some :
1/ Create a self CA certificate :
a/ create the CA.key private key :
$ openssl genrsa -des3 -out CA.key 1024
b/ create the CA.crt certificate :
$ openssl req -new -key CA.key -x509 -days 1095 -out CA.crt
2/ for each ldap server (if you have more than one)
create a certificat :
a/ create the server.key private key :
openssl genrsa -out server.key
b/ create a server.csr certificate request:
openssl req -new -key server.key -out server.csr
c/ create the server.crt certificate signed by your own CA :
openssl x509 -req -days 2000 -in server.csr -CA CA.crt -CAkey CA.key
-CAcreateserial -out server.crt
3/ configure slapd.conf ( the correct "server.key" and "server.crt"
files must be copied on each server):
TLSCACertificateFile /etc/openldap/cacerts/CA.crt
TLSCertificateFile /etc/openldap/cacerts/server.crt
TLSCertificateKeyFile /etc/openldap/cacerts/server.key
TLSCipherSuite HIGH:MEDIUM:+SSLv2
# personnally, I only check servers from client.
# If you do, add this :
TLSVerifyClient never
4/ on clients :
copy CA.crt to the right place ( normally should be somewhere
in /etc/pki..), and add this in ldap.conf :
TLS_CACERT /etc/openldap/cacerts/CA.crt
If you use sssd, add this in /etc/sssd/sssd.conf :
lldap_tls_cacert = /etc/openldap/cacerts/CA.crt
ldap_tls_reqcert = demand
Then you can test using ldapsearch with -Z
Best
---
Olivier
NOTE : I have'nt been able to make it work with mozilla certutil