[Date Prev][Date Next]
Craig Jackson <email@example.com> writes:
> I set up an ldap server which allows plain text authentication, but was
> unable to configure it to use ssl/tls authentication. I have the
> ldap-tls package installed (Debian system). Ldap is listening on 636 and
> 389 (using netstat and telnet from another box as test), so it seems to
> be working. However, when trying to authenticate from Evolution client,
> the connection fails. Has anyone gone this route before?
Evolution is only able to use SSL, not TLS.
> Other info:
> The pem file is 600
> I used this site as a guide:
Me think, that wouldn't work :-)
Now just a few lines describing the way I did it.
1. Use the scripts in ssl/misc
2. change openssl.cnf to your DN requirements, do NOT use default settings!
3. create a Certificate Authority, ./CA.pl -newca
4. create a SERVICE certificate. ./CA.pl -newreq, with FQDN of your ldapserver
5. sign the service certificate ./CA.pl -signreq
6. remove password from newcert.pem,
./ openssl rsa -in newreq.pem -out ldaphostkey.pem
7. rename newcert.pem to your requirement
8. create a USER certificate ./CA.pl -newreq, with DN of your user.
9. sign user certificate ./CA.pl -signreq
10. remove password from newcert.pem, as decribed above
11. rename newcert.pem newreq.pem to your requirements
12. copy all certificates to appropriate directories
13. edit ~/.ldaprc, /etc/openldap/ldap.conf and slapd.conf
14. create and sign additional HOST and USER certificates as
15. test the certificates
openssl s_client connect localhost:389 -showcerts, or port 636
depending on your system.
Dieter Kluenter | Systemberatung
Tel:040.64861967 | Fax: 040.64891521