[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problems with openldap2.1.4 and TLS/SSL
Hi,
phantastic, couldn't have made it more clear
as you wrote it, great job Mathias !!!
Wish you had wrote those couple of lines
when 2.1.3 was published, it would have prevented
me from wasting much (wealthy) time ....
If someone would insert it into FAQoMatic,
it would be very helpful for those guys (like me)
that are migrating from 2.0 to 2.1 !!!
greets Harry
> > ----- Original Message -----
> > From: "Stefan Wurzinger" <stefan.wurzinger@greengecko.org>
> > Sent: Monday, September 23, 2002 15:40
> >
> > > i've create the certificate with the following arguments
> > > openssl req -new -x509 -nodes -out server.pem -keyout server.pem
> > > -days 365
> >
> > Aha! You generated a self-signed certificate. That doesn't work with
> > OpenLDAP 2.1! You have to have a real certificate (something
> > certified by a CA).
>
> Uhm... No, self-signed certificates should be just fine:
>
> CA.pl -newca [press return, then answer prompts]
> CA.pl -newreq [enter info you want your LDAP server to have.
> Ignore "extra" attributes.
> Note: you HAVE TO PUT IN A NAME for "commonName"]
> CA.pl -signreq
> openssl rsa -in newreq.pem -out ldapkey.pem # to remove any passphrase
> chmod 0600 ldapkey.pem
> mv newcert.pem ldapcert.pem
>
> slapd.conf:
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile /ldap/etc/ldap-cert/ldapcert.pem
> TLSCertificateKeyFile /ldap/etc/ldap-cert/ldapkey.pem
> TLSCACertificateFile /ldap/etc/ldap-cert/demoCA/cacert.pem
>
> Add "TLS_CACERT /ldap/etc/ldap-cert/demoCA/cacert.pem" in
> /<path-to-openldap-tree>/etc/ldap.conf.
>
> Works for me.
>
> Look at http://www.openldap.org/faq/data/cache/185.html and check
> older threads on the subject.
>
>
> --
> Mathias Meisfjordskar
>
> GNU/Linux addict.
> Debian - What your mom would use if it were twenty times easier.
>
--
Werden Sie mit uns zum "OnlineStar 2002"! Jetzt GMX wählen -
und tolle Preise absahnen! http://www.onlinestar.de