On 2013-04-22 21:40, Rodney Simioni wrote:
Hi,
I've been tasked to enable ssl/tls on ldap. The server already has a certificate and key file. After looking at documentation, these are the three files that are needed
In the ldap.conf file:
TLSCertificateFile /etc/openldap/servercrt.pem TLSCertificateKeyFile /etc/openldap/serverkey.pem TLSCACertificateFile /etc/openldap/cacert.pem
Those are for slapd.conf (old-style server config), not for ldap.conf (client config). In ldap.conf, use TLS_CACERT or maybe TLS_CACERTDIR. See man ldap.conf.
Do *not* give the keyfile to clients. If anyone gets hold of it, they can impersonate the server. If anyone may have gotten hold of it, revoke the certificate and get a new one. Just like you must switch password if your password gets into the wrong hands.
I already have the TLSCertificateFile and TLSCertificateKeyFile but I don't have the TLSCACertificateFile. Is that something I have to generate?
No. You received it along with your certificate. It's the certificate which signed it. This is the one you put in ldap.conf:TLS_CACERT, so clients can verify your certificate.
Without it, clients can't verify - which means they don't know if they have a connection to your server or to a hostile one.