[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Openldap 2.4.40-13.el7 on CentOS 7 and SSL/TLS
- To: Openldap Technical <openldap-technical@openldap.org>
- Subject: Openldap 2.4.40-13.el7 on CentOS 7 and SSL/TLS
- From: Robert Heller <heller@deepsoft.com>
- Date: Fri, 22 Sep 2017 16:16:43 -0400 (EDT)
- Cc: centos@centos.org, Robert Heller <heller@deepsoft.com>
- Dkim-filter: OpenDKIM Filter v2.11.0 sharky3.deepsoft.com B211C732214
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=deepsoft.com; s=deepsoft.com; t=1506111403; bh=bjOaXuD5p4ueOY0IoPxBA1LsIbNKNnakq2iEDiB5G+s=; h=From:Subject:To:Cc:Date:From; b=VLLhspy7FYJCF74CJ5PNoDhB+5djG1TTS22Ov3At6mf7PGG93ZcmpOjuULrBM8r4h 0AQ3Eruob4cTO4nZ1LxtwwR14bUtqeyIEfh4vhdsDk5LBu8I0rWRD3VUns0+v5/m2m Jd0/whFHimWslqsfjmYdrkc+fpgcRgtxaxS1uh7Q=
- Organization: Deepwoods Software
What is the *correct* way to set up Openldap to use SSL/TLS? The
documentation is somewhat confusing.
My cn=config.ldif file looks like this:
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCACertificateFile: /etc/openldap/certs/ca_cert.pem
olcTLSCertificateFile: /etc/openldap/certs/c764guest.cert
olcTLSCertificateKeyFile: /etc/openldap/certs/privkey.pem
structuralObjectClass: olcGlobal
entryUUID: 7e6a3298-30da-1037-9c4f-458bcc6c0ce0
creatorsName: cn=config
createTimestamp: 20170918163057Z
entryCSN: 20170918163057.597791Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20170918163057Z
in /etc/openldap/certs are these files:
[root@c764guest heller]# ls -l /etc/openldap/certs
total 104
-rw-r--r--. 1 root root 5137 Sep 22 14:42 c764guest.cert
-rw-r--r--. 1 root root 1074 Sep 22 14:37 c764guest.csr
-rw-r--r--. 1 root root 1696 Sep 22 14:18 ca-cert.pem
-rw-r--r--. 1 root root 65536 Sep 18 12:30 cert8.db
-rw-r--r--. 1 root root 16384 Sep 18 12:30 key3.db
-r--r-----. 1 root ldap 45 Jan 10 2016 password
-rw-r--r--. 1 root root 1834 Sep 22 14:37 privkey.pem
-rw-r--r--. 1 root root 16384 Jan 10 2016 secmod.db
/etc/sysconfig/slapd contains:
# OpenLDAP server configuration
# see 'man slapd' for additional information
# Where the server will run (-h option)
# - ldapi:/// is required for on-the-fly configuration using client tools
# (use SASL with EXTERNAL mechanism for authentication)
# - default: ldapi:/// ldap:///
# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
SLAPD_URLS="ldapi:/// ldap://127.0.0.1/ ldap://192.168.250.98/ ldaps:///"
# Any custom options
#SLAPD_OPTIONS="-s 128"
# Keytab location for GSSAPI Kerberos authentication
#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
/etc/openldap/ldap.conf contains:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=deepsoft,dc=com
URI ldaps://192.168.250.98/
TLS_CACERT /etc/openldap/certs/ca-cert.pem
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT demand
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
But now when I try to do a ldapsearch I get:
[heller@c764guest ~]$ ldapsearch -x
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
even though:
[root@c764guest heller]# netstat -a|grep ldap
tcp 0 0 0.0.0.0:ldaps 0.0.0.0:* LISTEN
tcp 0 0 c764guest.deepsoft:ldap 0.0.0.0:* LISTEN
tcp 0 0 localhost:ldap 0.0.0.0:* LISTEN
tcp 0 0 c764guest.deepsof:33302 c764guest.deepsoft:ldap ESTABLISHED
tcp 0 0 c764guest.deepsoft:ldap c764guest.deepsof:33302 ESTABLISHED
tcp6 0 0 [::]:ldaps [::]:* LISTEN
Is this correct? I am not sure if I should be using ldaps:/// or not. And I
am not sure what the proper "magic" to get TLS working is.
--
Robert Heller -- 978-544-6933
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller@deepsoft.com -- Webhosting Services