My advice, from a novice user stand point, is to get everything working without TLS first. Make sure your systems can authenticate and everything is functioning. If your environment is not secure, then build a test environment (resources pending).
Once you have done this, then work on TLS.
In my ldap.conf file, I have an entry like this:
TLS_CACERTDIR /etc/openldap/cacerts
In this directory I put a file called ca.crt, which is my certificate of authority if I am not mistaken.
On the server in my slapd.conf file, I put the following entries:
TLSCertificateFile /etc/openldap/cacerts/serverhostname.local.crt TLSCertificateKeyFile /etc/openldap/cacerts/serverhostname.local.key TLSCACertificateFile /etc/openldap/cacerts/ca.crt TLSVerifyClient never
Make sure your server certificate's CN is the same as the hostname of your LDAP server. As far as I understand, you need this in order for TLS to work correctly (Someone correct me if I am wrong).
That should be it. You should have TLS working. Fire up your favorite packet scanner, ngrep, wireshark and test to make sure the data is encrypted. You can also use openssl client to connect the ldap server and see if TLS is working too.
Are you having a specific problem? The documentation seems pretty clear on how to set this up. BTW, I am using CENTOS 5.1/4.6 in my environment and I have had really good luck with LDAP. We used to be a NIS environment about a year ago.
- Randall Svancara Systems Administrator 509-335-7093
On Tue, 2008-04-01 at 23:01 +0200, David Hláčik wrote:
Hi, sorry for the stupid question,
but however i am following all howtos and tutorials it is not working
- i have created CA certificate - /etc/pki/tls/misc/CA -newca
- i have generated a new request - /etc/pki/tls/misc/CA -newreq
- i have signed certificate /etc/pki/tls/misc/CA -signreq
SO i have CA in /etc/pki/CA i have newkey.pem i have newcert.pem i have also cealrkey.pem (without passphrase)
$ openssl rsa < newkey.pem > clearkey.pem
What to do next?? What to put in slapd.conf in order to make it work?? What to put in ldap.conf in order to communicate
Really thanks in advance!!
David