[Date Prev][Date Next]
Re: OpenLDAP with tsl/ssl
Susanne Benkert wrote:
You will always see that. As said Kyle, try to tcpdump, tcpflow, snoop or
whatever (depending on your system) to see if data is transfered using tls
or not (try tcpflow -i lo -c).
Thank you for your fast reply.
Stig Venaas wrote:
I have already tried this on the LDAP-Server itself: ldapsearch -ZZ -d
127 "cn=*" - but it seems, that only parts of the traffic are encypted.
What you see in clear text is perhaps just the server certificate?
I don't think so, because I can read my LDAP-entries in cleartext in the
debug output. But there is no error message which shows than somethimng
with TLS went wrong. *?*
Nearly the same did I.
But I have (a quite stupid) question: What means the "FQDN" of the
Server? My server-root (base) of the ldap directory is
"ou=abteilung,ou=institut,o=organisation,c=de" and my server "host04".
Is the NQDN in this case "host04.abteilung.institut,organisation,de"? I
only used "host04" as Common Name in the Certificate. Could this be my
When creating the key file, you're asked for country, city... and "your OWN
name" (CN). Just put the hostname there. 'hostname' failed for me. I put
my full qualified hostname : "bjork.admin.kapt.com" (as found in /etc/hosts)
I read somewhere that the name in the certificat was just checked at startup...
so normaly it does not matter if you ldapsearch on localhost or your real
host (or IP)
don't forget to start slapd as : slapd -h 'ldap:/// ldaps:///'
I ldapsearch with just one '-Z' (not '-ZZ') like :
ldapsearch -H ldaps://bjork.admin.kapt.com -b "dc=kaptech,dc=com" -D "cn=manager,dc=kaptech,dc=com"
ldapsearch -H ldap://bjork.admin.kapt.com -b "dc=kaptech,dc=com" -D "cn=manager,dc=kaptech,dc=com"
-w password -Z
(I was not able to ldapsearch on port 636 thought...)
it seems everything is encrypted.... finaly :)