Hi, sorry for the stupid question,
but however i am following all howtos and tutorials it is not working
1) i have created CA certificate - /etc/pki/tls/misc/CA -newca 2) i have generated a new request - /etc/pki/tls/misc/CA -newreq 3) i have signed certificate /etc/pki/tls/misc/CA -signreq
SO i have CA in /etc/pki/CA i have newkey.pem i have newcert.pem i have also cealrkey.pem (without passphrase)
*$ openssl rsa < newkey.pem > clearkey.pem*
What to do next?? What to put in slapd.conf in order to make it work?? What to put in ldap.conf in order to communicate
Really thanks in advance!!
David
--On April 1, 2008 11:01:29 PM +0200 David Hláčik david@hlacik.eu wrote:
What to do next?? What to put in slapd.conf in order to make it work?? What to put in ldap.conf in order to communicate
Read the slapd.conf man page?
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
My advice, from a novice user stand point is to get everything working without TLS first. Make sure your systems can authenticate and everything is functioning. If your environment is not secure, then build a test environment (resources pending).
Once you have done this, then work on TLS.
In my ldap.conf file, I have an entry like this:
- Randall Svancara Systems Administrator 509-335-7093
On Tue, 2008-04-01 at 23:01 +0200, David Hláčik wrote:
Hi, sorry for the stupid question,
but however i am following all howtos and tutorials it is not working
- i have created CA certificate - /etc/pki/tls/misc/CA -newca
- i have generated a new request - /etc/pki/tls/misc/CA -newreq
- i have signed certificate /etc/pki/tls/misc/CA -signreq
SO i have CA in /etc/pki/CA i have newkey.pem i have newcert.pem i have also cealrkey.pem (without passphrase)
$ openssl rsa < newkey.pem > clearkey.pem
What to do next?? What to put in slapd.conf in order to make it work?? What to put in ldap.conf in order to communicate
Really thanks in advance!!
David
thanks to you all guys! I have already ldap working for a half year, but i did not needed tls as everything was a local-host only. and my problem of course was not there but in ldap.conf (needed to set path to CA cert)
Regards,
DAvid
On Wed, Apr 2, 2008 at 12:35 AM, Randall Svancara rsvancara@wsu.edu wrote:
My advice, from a novice user stand point is to get everything working without TLS first. Make sure your systems can authenticate and everything is functioning. If your environment is not secure, then build a test environment (resources pending).
Once you have done this, then work on TLS.
In my ldap.conf file, I have an entry like this:
Randall Svancara Systems Administrator 509-335-7093
On Tue, 2008-04-01 at 23:01 +0200, David Hláčik wrote:
Hi, sorry for the stupid question,
but however i am following all howtos and tutorials it is not working
- i have created CA certificate - /etc/pki/tls/misc/CA -newca
- i have generated a new request - /etc/pki/tls/misc/CA -newreq
- i have signed certificate /etc/pki/tls/misc/CA -signreq
SO i have CA in /etc/pki/CA i have newkey.pem i have newcert.pem i have also cealrkey.pem (without passphrase)
$ openssl rsa < newkey.pem > clearkey.pem
What to do next?? What to put in slapd.conf in order to make it work?? What to put in ldap.conf in order to communicate
Really thanks in advance!!
David
My advice, from a novice user stand point, is to get everything working without TLS first. Make sure your systems can authenticate and everything is functioning. If your environment is not secure, then build a test environment (resources pending).
Once you have done this, then work on TLS.
In my ldap.conf file, I have an entry like this:
TLS_CACERTDIR /etc/openldap/cacerts
In this directory I put a file called ca.crt, which is my certificate of authority if I am not mistaken.
On the server in my slapd.conf file, I put the following entries:
TLSCertificateFile /etc/openldap/cacerts/serverhostname.local.crt TLSCertificateKeyFile /etc/openldap/cacerts/serverhostname.local.key TLSCACertificateFile /etc/openldap/cacerts/ca.crt TLSVerifyClient never
Make sure your server certificate's CN is the same as the hostname of your LDAP server. As far as I understand, you need this in order for TLS to work correctly (Someone correct me if I am wrong).
That should be it. You should have TLS working. Fire up your favorite packet scanner, ngrep, wireshark and test to make sure the data is encrypted. You can also use openssl client to connect the ldap server and see if TLS is working too.
Are you having a specific problem? The documentation seems pretty clear on how to set this up. BTW, I am using CENTOS 5.1/4.6 in my environment and I have had really good luck with LDAP. We used to be a NIS environment about a year ago.
- Randall Svancara Systems Administrator 509-335-7093
On Tue, 2008-04-01 at 23:01 +0200, David Hláčik wrote:
Hi, sorry for the stupid question,
but however i am following all howtos and tutorials it is not working
- i have created CA certificate - /etc/pki/tls/misc/CA -newca
- i have generated a new request - /etc/pki/tls/misc/CA -newreq
- i have signed certificate /etc/pki/tls/misc/CA -signreq
SO i have CA in /etc/pki/CA i have newkey.pem i have newcert.pem i have also cealrkey.pem (without passphrase)
$ openssl rsa < newkey.pem > clearkey.pem
What to do next?? What to put in slapd.conf in order to make it work?? What to put in ldap.conf in order to communicate
Really thanks in advance!!
David
openldap-software@openldap.org
-
David Hláčik -
Quanah Gibson-Mount -
Randall Svancara