Dieter Kluenter schrieb:
Sebastian Reinhardt snr@lmv-hartmannsdorf.de writes:
Sorry, please forget everything I wrote in my last mail....stop! Not everithing! Delte the "partial"!
IT WORKS! I can login at both, "real" client pc and as client on server machine! Everithing is set to demand and the test (ldapsearch and login) works. So only the one point is left: the LDAP- Workshop (Stefan Kania's one) uses the "TLSCipherSuite HIGH:MEDIUM:+SSLv2" option. If I activate this in slapd.conf, ldap can not be started. Why? I do not know, because I get no output.
In order to find out run openssl ciphers SSLv2 openssl ciphers HIGH openssl ciphers MEDIUM
-Dieter
Hi Dieter, I get the following output:
lmvserver:~ #openssl ciphers SSLv2 DES-CBC3-MD5:DES-CBC-MD5:EXP-RC2-CBC-MD5:RC2-CBC-MD5:EXP-RC4-MD5:RC4-MD5
lmvserver:~ # openssl ciphers MEDIUM ADH-RC4-MD5:RC4-SHA:RC4-MD5:RC2-CBC-MD5:RC4-MD5
lmvserver:~ # openssl ciphers HIGH ADH-CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:ADH-CAMELLIA128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:ADH-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:ADH-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5
So I think, this should work?! SSLv3 is also available. Is it better to use "TLSCipherSuite HIGH:MEDIUM:+SSLv3"?
Oh, I had not posted the solution of my major problem: I mixed ip's and host names (in /etc/ldap.conf I used ip's and in certificates host names). Due to the comment in /etc/ldap.conf "the LDAP- Server must be resolveable without ldap" I thought that it is better to use the ip of our server. Also, I used as common name instead of servers host name the client name (in every client cert the according client host name). So this could not work......I was a little bit confused of configuring multiple ldap.conf- file, but thanks to Dieter the server is up and running.