[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: clarification on ldap with ssl/tls



On 2013-04-22 21:40, Rodney Simioni wrote:
Hi,

I've been tasked to enable ssl/tls on ldap. The server already has a
certificate and key file. After looking at documentation, these are
the three files that are needed

In the ldap.conf file:

TLSCertificateFile /etc/openldap/servercrt.pem
TLSCertificateKeyFile /etc/openldap/serverkey.pem
TLSCACertificateFile /etc/openldap/cacert.pem

Those are for slapd.conf (old-style server config), not for
ldap.conf (client config).  In ldap.conf, use TLS_CACERT or maybe
TLS_CACERTDIR.  See man ldap.conf.

Do *not* give the keyfile to clients.  If anyone gets hold of it,
they can impersonate the server.  If anyone may have gotten hold
of it, revoke the certificate and get a new one.  Just like you
must switch password if your password gets into the wrong hands.

I already have the TLSCertificateFile and TLSCertificateKeyFile but I
don't have the TLSCACertificateFile. Is that something I have to
generate?

No.  You received it along with your certificate.  It's the
certificate which signed it.  This is the one you put in
ldap.conf:TLS_CACERT, so clients can verify your certificate.

Without it, clients can't verify - which means they don't know
if they have a connection to your server or to a hostile one.

--
Hallvard