Hi,
I setup openldap-2.4.23 server on centos6.2 using cn=config. The server itself doesn't authenticate through ldap. Network clients are able to authenticate but the network traffic is unencrypted.
Next step is to configure SSL/TLS. I was reading multiple sources of documentation, trying to understand what I'm doing not just follow instructions. I created a CA, generated certificate for the server and setup these in cn=config:
olcTLSCACertificateFile: /etc/openldap/cacerts/CA.crt olcTLSCertificateFile: /etc/pki/tls/certs/ldapserver.crt olcTLSCertificateKeyFile: /etc/pki/tls/private/ldapserver-nopass.key olcTLSVerifyClient: demand
I was expecting that after slapd restart clients will not being able to authenticate but they still can and the traffic is still unencrypted. On the server if I run tcpdump I can clearly see usernames and passwords.
Service slapd is running as user ldap and I made sure the user has read access to all cert files and private keys. I enabled logging level "olcLogLevel: stats" but I don't see any errors in the log file.
Shouldn't "olcTLSVerifyClient: demand" drop the connection if the client doesn't provide valid certificate?
Thank you for any pointers.
-- Peter
--On Monday, March 12, 2012 6:52 PM -0700 Peter Wood peterwood.sd@gmail.com wrote:
Hi,
I setup openldap-2.4.23 server
Why? I'd suggest you start with the current release, 2.4.30. You may also want to look at http://www.openldap.org/its/index.cgi/?findid=7197
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Peter Wood -
Quanah Gibson-Mount