[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Setting up OpenLDAP SSL, client and server



Hello Dave,

Tuesday, July 23, 2002, 7:04:08 PM, you wrote:

DS> Can anyone point me in the direction of a good HOWTO on setting up
DS> OpenLDAP over SSL for both server and client side? With other directory 
DS> services (Novell eDirectory for example), one must export the trusted 
DS> root certificate (public key) and consume that on the client side. Does 
DS> such a method exist in OpenLDAP?

I guess the answer is YES.
The reason You didn't find what You want is that OpenSSL is a separate
thing. You should search for OpenSSL HOWTO, then You will be able to deal
with OpenLDAP's TLS. It behaves exactly the same as other
OpenSSL-aware solution.

I have made some list-talking here last week.
In two words, You need to generate the certificates with OpenSSL (one
self-signed for the trusted root, or CA, and one for the server,
signed by this CA). Then export Your trusted root (CA) certificate to
clients. Always use FQDN as `Common Name' for the LDAP server
certificate. OpenLDAP TLS server settings are well documented in man
pages (see slapd.conf(5)). Look for TLSxxxxxxx options.

BTW if You use SSL for WEB servers, You can sign it's certificate with
the same root CA.

Then You must tell the server NOT to verify client's cerificate,
unless You enable client certificate as well. That's seems to be
enough. Note that server certificate verification in client may fail
unless You are able to import trusted root CA.

I see growing interest to OpenLDAP + TLS tandem. Maybe I'll make some
kind of HOWTO and (try to) contribute it, but I'm not an SSL expert.

bye

-- 
Best regards,
 Peter                            mailto:spam4octan@highway.ru