Fabrice Eudes wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello everybody, I am quite new to ldap and i am testing locally before setting up a new server. Unencrypted connections are all right but i have no success with TLS connections.
My box, a laptop, is a Debian Etch, the openldap version is 2.3.30 (the packages installed are ldap-utils, libldap-2.3-0, libldap2 and slapd).
If needed, i can give more details, but basically i followed these steps:
- a. set up a local certification authority (CA) b. created a certificate for the ldap server, signed by my CA; I took
care that the Common Name is the server FQDN. 2) a. In /etc/default/slapd, i wrote SLAPD_SERVICES="ldap://arwen.grenier.ambre:389/ ldaps://arwen.grenier.ambre:636/" (where arwen.grenier.ambre is my laptop FQDN) b. In /etc/ldap/slapd.conf, accordingly to where my files are, i wrote: TLSCACertificateFile /etc/ldap/certificates/cacert.pem TLSCertificateFile /etc/ldap/certificates/servercert.pem TLSCertificateKeyFile /etc/ldap/certificates/serverkey.pem TLSVerifyClient never c. In /etc/ldap/ldap.conf, i wrote: TLS_CACERT /etc/ldap/certificates/cacert.pem TLS_REQCERT never
I have read in openldap admin guide that the TLS_REQCERT default value is "demand" but it isn't compulsory is it ?
If you want to have actual security, you should leave it at the default setting. I.e., don't change the TLS_REQCERT setting unless you know what you're doing.
the request « ldapsearch -H ldap://arwen.grenier.ambre -x -D "cn=root,dc=irem,dc=univ-lille1,dc=fr" -w secret -ZZ » seems all right as it returns all the directory entries but in syslog (i put «loglevel 15» in slapd.conf) i have the following (i added some comments to easily spot the possible errors):
None of the items you point out in the log are errors.
I am quite sure that my setup is not totally correct as, for instance, i successfully connect to the directory from phpLDAPadmin web interface without TLS, but can't connect with TLS (or ldaps).
And another question :-) What's the story with TLS_CIPHER_SUITE in ldap.conf, and TLSCipherSuite in slapd.conf ? Do they have to be set to some value ? When i read the admin guide, i don't understand if there is a default value or not, and there is nothing concerning these directives in the Faq-O-Matic TLS entry.
The default value depends on how your OpenSSL library was built. Read the OpenSSL documentation for more details.