[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: clarification on ldap with ssl/tls

To: <openldap-technical@openldap.org>
Subject: Re: clarification on ldap with ssl/tls
From: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>
Date: Tue, 23 Apr 2013 06:56:48 +0200
In-reply-to: <0971982CF6B9AB418FFD5FEF7F50CB9F05E0A1A3@IAD-WPRD-XCHB03.corp.verio.net>
References: <0971982CF6B9AB418FFD5FEF7F50CB9F05E0A1A3@IAD-WPRD-XCHB03.corp.verio.net>
User-agent: Roundcube Webmail/hz/2m6f.frs/uio-1

On 2013-04-22 21:40, Rodney Simioni wrote:

Hi,

I've been tasked to enable ssl/tls on ldap. The server already has a
certificate and key file. After looking at documentation, these are
the three files that are needed

In the ldap.conf file:

TLSCertificateFile /etc/openldap/servercrt.pem
TLSCertificateKeyFile /etc/openldap/serverkey.pem
TLSCACertificateFile /etc/openldap/cacert.pem


Those are for slapd.conf (old-style server config), not for
ldap.conf (client config).  In ldap.conf, use TLS_CACERT or maybe
TLS_CACERTDIR.  See man ldap.conf.

Do *not* give the keyfile to clients.  If anyone gets hold of it,
they can impersonate the server.  If anyone may have gotten hold
of it, revoke the certificate and get a new one.  Just like you
must switch password if your password gets into the wrong hands.

I already have the TLSCertificateFile and TLSCertificateKeyFile but I
don't have the TLSCACertificateFile. Is that something I have to
generate?


No.  You received it along with your certificate.  It's the
certificate which signed it.  This is the one you put in
ldap.conf:TLS_CACERT, so clients can verify your certificate.

Without it, clients can't verify - which means they don't know
if they have a connection to your server or to a hostile one.

--
Hallvard

References:
- clarification on ldap with ssl/tls
  - From: "Rodney Simioni" <rodney.simioni@verio.net>

Prev by Date: Re: clarification on ldap with ssl/tls
Next by Date: hdb and mdb have different search results/behaviour
Index(es):
- Chronological
- Thread