Re: OpenLDAP with tsl/ssl

[Stig Venaas <Stig@OpenLDAP.org>]

On Fri, Nov 30, 2001 at 03:18:43PM +0100, Susanne Benkert wrote:
> I can't start:  ldapsearch -h "host" -p "636" -b
> "ou=test,o=testfirma,c=de" "cn=*" (from remote host).
> I have already tried this on the LDAP-Server itself: ldapsearch -ZZ -d
> 127 "cn=*" - but it seems, that only parts of the traffic are encypted.

What you see in clear text is perhaps just the server certificate?

> And PHP-Skripts don't work, wenn I use: "connect ("ldaps://host/");"
> like the PHP-Manual suggests.

What PHP does is similar to ldapsearch -H "ldaps://host/" -b ....
None or both should work.

I did as follows:

I created my own certificate for CA and then created a certificate
for the LDAP server where CN in the certificate is the same as the
FQDN of the LDAP server (ldap.testfirma.de or something). See how
at http://www.raphinou.com/ldaps/LDAP-SSL.HOWTO

In slapd.conf I added

   TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA
   TLSCertificateFile /usr/local/etc/openldap/servercerts/server.crt
   TLSCertificateKeyFile /usr/local/etc/openldap/servercerts/server.key

I don't remember if the server will listen on 636 by default, you
might try to use -h "ldaps://0.0.0.0/" or -h "ldaps://FQDN/" as
parameters when you start slapd. You can use netstat to check if it
listen to 636 or try to telnet to 636 from another host.

Then I believe ldapsearch -H "ldaps://FQDN/" -b .... should work.
You might try to add "-d level" to get some debugging info with
both ldapsearch and slapd. tcpdump could be useful to see what
happens. If 636 is used and whether the data are encrypted. Note
that it is also possible to have encryption over port 389, where
the client issues a start TLS command. This is also possible from
PHP with the new ldap_start_tls() function.

Stig