Re: ldap+ssl/tls

[Dieter Kluenter <dieter@dkluenter.de>]

Hi,

Craig Jackson <craig.jackson@wild.net> writes:

> I set up an ldap server which allows plain text authentication, but was
> unable to configure it to use ssl/tls authentication. I have the
> ldap-tls package installed (Debian system). Ldap is listening on 636 and
> 389 (using netstat and telnet from another box as test), so it seems to
> be working. However, when trying to authenticate from Evolution client,
> the connection fails. Has anyone gone this route before?

Evolution is only able to use SSL, not TLS. 
> Other info:
> The pem file is 600
> I used this site as a guide: 
> http://www.securityfocus.com/infocus/1428

Me think, that wouldn't work :-)
Now just a few lines describing the way I did it.
1. Use the scripts in ssl/misc
2. change openssl.cnf to your DN requirements, do NOT use default settings!
3. create a Certificate Authority, ./CA.pl -newca
4. create a SERVICE certificate. ./CA.pl -newreq, with FQDN of your ldapserver
   as DN
5. sign the service certificate ./CA.pl -signreq
6. remove password from newcert.pem,
   ./ openssl rsa -in newreq.pem -out ldaphostkey.pem
7. rename newcert.pem to your requirement
8. create a USER certificate ./CA.pl -newreq, with DN of your user. 
9. sign user certificate ./CA.pl -signreq
10. remove password from newcert.pem, as decribed above
11. rename newcert.pem newreq.pem to your requirements
12. copy all certificates to appropriate directories
13. edit ~/.ldaprc, /etc/openldap/ldap.conf and slapd.conf
14. create and sign additional HOST and USER certificates as
    described.
15. test the certificates
    openssl s_client connect localhost:389 -showcerts, or port 636
    depending on your system.


 -Dieter
-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter@schevolution.com
http://www.schevolution.com/tour