Hi,
"Hunter hu" hunter.wxhu@gmail.com writes:
Hi,
I have to get help from here , because I was struggling with TLS configuration for weeks.
during those days , I searched google include this list , still cant pass ,my god.
Does anyone could provide some guide on how to configure the openldap TLS connection with step by step, so can reduce our pain ?
Here I expose the step and try to get help from the senior ldap engineer.
- installed openldap with-tls=openssl
I add the openssl specially to avoid use gnutls, sometimes, openldap will goto find gnutls if c header is there
install and start slapd succesfully.
- using ldapsearch -v -h 10.192.183.73 -b "dc=example,dc=com" -s base
"objectclass=*"
I can get the listed information from openldap server, that is ok
- now go for certificate genearation with numerous guide in google , but not
fit to pass for me
3.1 cd /var/myca /usr/local/ssl/misc/CA.sh -newCA
then will generate demoCA, and cacert.pem is there, that is ok
3.2 /usr/local/ssl/misc/CA.sh -newreq newkey.pem newreq.pem
on this stage you should only have a newreq.pem no key yet
notes : I am using 10.192.183.73 as the common name, is there any issue
here?
Not if you only call the host by this ip number
3.3 /usr/local/ssl/misc/CA.sh -sign then you got newcert.pem
you have to extract the key first
openssl rsa in newreq.pem -out newkey.pem
now copy into /var/ldap and try to insert into slapd and restart
TLSCipherSuite MEDIUM:+TLSv1+SSL3+SSL2 TLSCertificateFile /var/ldap/newcert.pem TLSCertificateKeyFile /var/ldap/newkey.pem ( some guide said should be newreq.pem) TLSCACertificateFile /var/ldap/cacert.pem
- ftp cacert.pem into client and copy into /var/myca
using s-client to test at first penssl s_client -connect 10.192.183.73:389 -showcerts -state -CAfile /var/myca /cacert.pem -tls1
you will got the error always
This would not work, you have to start slapd with -h ldaps:/// and connect openssl to port 636
-Dieter