Re: tls doesn't work

[Tony Earnshaw <tonni@billy.demon.nl>]

fre, 2003-04-04 kl. 11:17 skrev Kuba Leszewski:


> In ldap.conf, the TLS/SSL related part looks like this:
> # Netscape SDK LDAPS
> #ssl on
> 
> # Netscape SDK SSL options
> #sslpath /etc/ssl/certs/cert7.db
> 
> # OpenLDAP SSL mechanism
> # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
> ssl start_tls
> #ssl off
> 
> # OpenLDAP SSL options
> # Require and verify server certificate (yes/no)
> # Default is "no"
> #tls_checkpeer yes
> 
> # CA certificates for server certificate verification
> # At least one of these are required if tls_checkpeer is "yes"
> tls_cacertfile /usr/local/ssl/ce3-CA/certs/cacert.pem
> tls_cacertdir /usr/local/ssl/ce3-CA
> 
> # SSL cipher suite
> # See man ciphers for syntax
> tls_ciphers TLSv1
> 
> # Client certificate and key
> # Use these, if your server requires client authentication.
> #tls_cert
> #tls_key

What other people are writing, is that if you do (at any rate on Linux;
on Solaris, SCO OpenServer etc you'd do something else):

'strace ldapsearch 2>&1 | grep open | grep conf'

you'll see what .conf files 2.1.x (Openldap.org distros) expect, e.g.
inter alia that ldapsearch expects a
"/usr/local/etc/openldap/ldap.conf".

Now a little secret, just between you and me:

If you do:

'if [ -f /usr/local/etc/openldap/ldap.conf ]; then
mv /usr/local/etc/openldap/ldap.conf
/usr/local/etc/openldap/ldap.conf.old; fi
ln -s /etc/ldap.conf /usr/local/etc/openldap/ldap.conf', you'll see that
it doesn't make the blindest little bit of difference in practice, which
ldap.conf you use ('man ldap.conf' shows that Openldap's ldap.conf is
simply a glorified subset of the pam_ldap ldap.conf).

That's what I have, for my simple 2.1.17 installation.

Best,

Tony

-- 

Tony Earnshaw

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl