Hi Folks,
I have setup openldap with SSL and i'm using self signed certs. I have included the following in my slapd.conf.
TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCACertificateFile /etc/ldap/ssl/server.pem TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateKeyFile /etc/ldap/ssl/server.pem TLSVerifyClient demand
and in my ldap.conf I have;
HOST <my_ip> PORT 636 TLS_REQCERT /etc/ldap/ssl/server.pem
When I start the service, I see port 636 is up and I can even telnet to it. But I cannot perform any ldap operations there.
Any help would be appreciated!
Thanks, ~Chamith
On Fri, 4 Dec 2009, Chamith Kumarage wrote:
Hi Folks,
I have setup openldap with SSL and i'm using self signed certs. I have included the following in my slapd.conf.
TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCACertificateFile /etc/ldap/ssl/server.pem TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateKeyFile /etc/ldap/ssl/server.pem TLSVerifyClient demand
and in my ldap.conf I have;
HOST <my_ip> PORT 636 TLS_REQCERT /etc/ldap/ssl/server.pem
What slapd starting line (-h option) you've used? should be something like
"ldap://127.0.0.1:389/ ldaps://127.0.0.1:636/ ldapi:///"
E.g. in Debian it's configured via /etc/default/slapd file.
Regards, DT
On Fri, 2009-12-04 at 12:38 +0100, DT Piotr Wadas wrote:
On Fri, 4 Dec 2009, Chamith Kumarage wrote:
Hi Folks,
I have setup openldap with SSL and i'm using self signed certs. I have included the following in my slapd.conf.
TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCACertificateFile /etc/ldap/ssl/server.pem TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateKeyFile /etc/ldap/ssl/server.pem TLSVerifyClient demand
and in my ldap.conf I have;
HOST <my_ip> PORT 636 TLS_REQCERT /etc/ldap/ssl/server.pem
What slapd starting line (-h option) you've used? should be something like
"ldap://127.0.0.1:389/ ldaps://127.0.0.1:636/ ldapi:///"
E.g. in Debian it's configured via /etc/default/slapd file.
Regards, DT
I have those already configured in /etc/default/slapd . This is the error I'm getting when trying to do a ldapsearch via ldaps:// ;
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
But I can perform the same operation via ldap://
Thanks, ~Chamith
Hi, there are 2 possible solutions. 1st: each client need the correct cert that he can connect. 2nd: if you wanna use ist like "ssl webpages", you need to set this in slapd.conf (disables client cert checking)
TLSVerifyClient never
regards
Am 04.12.2009 11:16, schrieb Chamith Kumarage:
Hi Folks,
I have setup openldap with SSL and i'm using self signed certs. I have included the following in my slapd.conf.
TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCACertificateFile /etc/ldap/ssl/server.pem TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateKeyFile /etc/ldap/ssl/server.pem TLSVerifyClient demand
and in my ldap.conf I have;
HOST <my_ip> PORT 636 TLS_REQCERT /etc/ldap/ssl/server.pem
When I start the service, I see port 636 is up and I can even telnet to it. But I cannot perform any ldap operations there.
Any help would be appreciated!
Thanks, ~Chamith
2009/12/4 Chamith Kumarage gnu.chami@gmx.net:
Hi Folks,
I have setup openldap with SSL and i'm using self signed certs. I have included the following in my slapd.conf.
TLSCipherSuite HIGH:MEDIUM:-SSLv2
If you are using Debian see this - http://wiki.debian.org/LDAP/OpenLDAPSetup
TLSCACertificateFile /etc/ldap/ssl/server.pem TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateKeyFile /etc/ldap/ssl/server.pem TLSVerifyClient demand
and in my ldap.conf I have;
HOST <my_ip> PORT 636 TLS_REQCERT /etc/ldap/ssl/server.pem
When I start the service, I see port 636 is up and I can even telnet to it. But I cannot perform any ldap operations there.
Any help would be appreciated!
Thanks, ~Chamith
openldap-technical@openldap.org
-
Chamith Kumarage -
DT Piotr Wadas -
Jarbas Peixoto Júnior -
Marc Mertes