2:26 a.m.
Hello,
I am using primary/secondary LDAP servers configuration, it works quite
normal.
I need to make LDAP authentication secure. I.e., I need both LDAP
servers to provide LDAP over SSL/TLS, so that both primary and secondary
LDAP server be used (mentioned in ldap.conf).
I have to use self-signed SSL certificates, since the servers are
located in intranet, they have no 'real' domain names.
The problem is I can't figure out how to specify ldap.conf SSL
parameters so that they could
- verify LDAP server certificate
- be used with both primary and secondary LDAP servers
Also, I'd prefer to use TLS - how do I run slapd so that it provided
TLS-aware connection on the standard port? Is it possible to set up
slapd so that TLS be optional (for testing/transition purposes).
I would greatly appreciate references to the relevant docs on these.
Thank you.
Sincerely,
Konstantin
2:36 a.m.
I have to use self-signed SSL certificates, since the servers are
located in
intranet, they have no 'real' domain names.
Names in certificates used in connection do not need to take a part in
"authentication". Study the difference between authentication and
authorization.
The problem is I can't figure out how to specify ldap.conf SSL parameters so
that they could
- verify LDAP server certificate
- be used with both primary and secondary LDAP servers
Also, I'd prefer to use TLS - how do I run slapd so that it provided TLS-aware
connection on the standard port? Is it possible to set up slapd so that TLS be
optional (for testing/transition purposes).
To setup slapd with SSL (ldaps) , add ldaps:/// argument to it.
I would greatly appreciate references to the relevant docs on these.
Answers for
your questions are in man ldap.conf, and man slapd manual
pages.
Regards,
DT
--
http://dtpw.pl/mywork
http://dtpw.pl/buell [ 25th anniversary of Buell - American Motorcycles ]
3:44 a.m.
On Friday, 26 November 2010 11:26:46 Konstantin Boyandin wrote:
Hello,
I am using primary/secondary LDAP servers configuration, it works quite
normal.
I need to make LDAP authentication secure. I.e., I need both LDAP
servers to provide LDAP over SSL/TLS, so that both primary and secondary
LDAP server be used (mentioned in ldap.conf).
I have to use self-signed SSL certificates,
No, you don't have to use self-signed SSL certificates, you could use a single
self-signed CA certificate, and sign your LDAP servers' SSL certificates with
this single self-signed CA certificate.
since the servers are
located in intranet, they have no 'real' domain names.
There is no reason servers in an intranet can't have "real" domain names.
The problem is I can't figure out how to specify ldap.conf SSL
parameters so that they could
- verify LDAP server certificate
- be used with both primary and secondary LDAP servers
Your options are:
-1 self-signed certificate with subjectAltName extensions allowing both
hostnames and/or IP addresses etc. (however, some proprietary LDAP libraries
don't support that well, e.g. on Solaris).
Also, I'd prefer to use TLS - how do I run slapd so that it
provided
TLS-aware connection on the standard port?
TLS on standard port is start_tls.
Is it possible to set up
slapd so that TLS be optional (for testing/transition purposes).
If you have certificates defined in your slapd configuration (e.g.
TLSCertificateFile, TLSCertificateKeyFile), this should work without any
further configuration on the server side.
If you want to require TLS later, see the 'security' options for slapd.conf
Regards,
Buchan
4579
days inactive
4579
days old
openldap-technical@openldap.org
2 comments
3 participants
participants (3)
-
Buchan Milne -
DT Piotr Wadas -
Konstantin Boyandin