Hello,
I am using primary/secondary LDAP servers configuration, it works quite normal.
I need to make LDAP authentication secure. I.e., I need both LDAP servers to provide LDAP over SSL/TLS, so that both primary and secondary LDAP server be used (mentioned in ldap.conf).
I have to use self-signed SSL certificates, since the servers are located in intranet, they have no 'real' domain names.
The problem is I can't figure out how to specify ldap.conf SSL parameters so that they could - verify LDAP server certificate - be used with both primary and secondary LDAP servers
Also, I'd prefer to use TLS - how do I run slapd so that it provided TLS-aware connection on the standard port? Is it possible to set up slapd so that TLS be optional (for testing/transition purposes).
I would greatly appreciate references to the relevant docs on these.
Thank you. Sincerely, Konstantin
I have to use self-signed SSL certificates, since the servers are located in intranet, they have no 'real' domain names.
Names in certificates used in connection do not need to take a part in "authentication". Study the difference between authentication and authorization.
The problem is I can't figure out how to specify ldap.conf SSL parameters so that they could
- verify LDAP server certificate
- be used with both primary and secondary LDAP servers
Also, I'd prefer to use TLS - how do I run slapd so that it provided TLS-aware connection on the standard port? Is it possible to set up slapd so that TLS be optional (for testing/transition purposes).
To setup slapd with SSL (ldaps) , add ldaps:/// argument to it.
I would greatly appreciate references to the relevant docs on these.
Answers for your questions are in man ldap.conf, and man slapd manual pages.
Regards, DT
On Friday, 26 November 2010 11:26:46 Konstantin Boyandin wrote:
Hello,
I am using primary/secondary LDAP servers configuration, it works quite normal.
I need to make LDAP authentication secure. I.e., I need both LDAP servers to provide LDAP over SSL/TLS, so that both primary and secondary LDAP server be used (mentioned in ldap.conf).
I have to use self-signed SSL certificates,
No, you don't have to use self-signed SSL certificates, you could use a single self-signed CA certificate, and sign your LDAP servers' SSL certificates with this single self-signed CA certificate.
since the servers are located in intranet, they have no 'real' domain names.
There is no reason servers in an intranet can't have "real" domain names.
The problem is I can't figure out how to specify ldap.conf SSL parameters so that they could
- verify LDAP server certificate
- be used with both primary and secondary LDAP servers
Your options are: -1 self-signed certificate with subjectAltName extensions allowing both hostnames and/or IP addresses etc. (however, some proprietary LDAP libraries don't support that well, e.g. on Solaris).
Also, I'd prefer to use TLS - how do I run slapd so that it provided TLS-aware connection on the standard port?
TLS on standard port is start_tls.
Is it possible to set up slapd so that TLS be optional (for testing/transition purposes).
If you have certificates defined in your slapd configuration (e.g. TLSCertificateFile, TLSCertificateKeyFile), this should work without any further configuration on the server side.
If you want to require TLS later, see the 'security' options for slapd.conf
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
DT Piotr Wadas -
Konstantin Boyandin