RES: SSL Help

["Gustavo Mendes de Carvalho" <gmcarvalho@gmail.com>]

Vinh,
 
I believe that you have some problem with certificates. Did you use the
private/public pair certificate in server/client ldap machines ?
Be sure to copy /etc/openldap/cacerts/cacert.pem file from server (public
certificate file) to your ldap client machine. 
 

On your LDAP Serer slapd.conf file

>> slapd.conf 
>> .... 
>> #TLS SSL keys 
>> TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:SSLv3   <== You dn´t need to
specify this 
>> TLSCACertificateFile /usr/local/etc/openldap/cacert.pem 
>> TLSCertificateFile /usr/local/etc/openldap/slapd-cert-ldap1.pem 
>> TLSCertificateKeyFile /usr/local/etc/openldap/slapd-key-ldap1.pem 
>> #TLSVerifyClient demand 
>> .... 


I am using this ldap.conf on client machine
 
#######################################################
# file: /etc/ldap.conf
#   by: Gustavo Mendes de Carvalho
# when: jan/2008
#######################################################
host ldap_server
base ou=OrgUnit,o=Org,c=country
uri ldaps://ldap_server/
ldap_version 3
port 636
timelimit 120
bind_timelimit 120
idle_timelimit 3600
pam_password md5
ssl on
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_cacertdir /etc/openldap/cacerts
tls_reqcert never
tls_ciphers TLSv1


And this ldap.conf file

#######################################################
# file: /etc/openldap/ldap.conf
#   by: Gustavo Mendes de Carvalho
# when: jan/2008
#######################################################

URI  ldaps://ldap_server:636
HOST ldap_server
BASE ou=OrgUnit,o=Org,c=country
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never


I can guarantee that you will have all traffic encrypted. Put some sniffer
there and you can see it.

---
Gustavo Mendes de Carvalho
email: gmcarvalho@gmail.com