[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: clarification on ldap with ssl/tls
On 2013-04-22 21:40, Rodney Simioni wrote:
Hi,
I've been tasked to enable ssl/tls on ldap. The server already has a
certificate and key file. After looking at documentation, these are
the three files that are needed
In the ldap.conf file:
TLSCertificateFile /etc/openldap/servercrt.pem
TLSCertificateKeyFile /etc/openldap/serverkey.pem
TLSCACertificateFile /etc/openldap/cacert.pem
Those are for slapd.conf (old-style server config), not for
ldap.conf (client config). In ldap.conf, use TLS_CACERT or maybe
TLS_CACERTDIR. See man ldap.conf.
Do *not* give the keyfile to clients. If anyone gets hold of it,
they can impersonate the server. If anyone may have gotten hold
of it, revoke the certificate and get a new one. Just like you
must switch password if your password gets into the wrong hands.
I already have the TLSCertificateFile and TLSCertificateKeyFile but I
don't have the TLSCACertificateFile. Is that something I have to
generate?
No. You received it along with your certificate. It's the
certificate which signed it. This is the one you put in
ldap.conf:TLS_CACERT, so clients can verify your certificate.
Without it, clients can't verify - which means they don't know
if they have a connection to your server or to a hostile one.
--
Hallvard