Re: tls

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Fri, Nov 14, 2003 at 12:56:08PM +0300, Mark wrote:

> >If you want to *require* encryption you need to add security strength
> >factors to slapd.conf - see the 'security' section of the slapd.conf
> >manpage.
> > 
> >
> Thanks , its worked.
> 
> I insert this string in slapd.conf
> security tls=112
> its true?
> Now all traffic between client host and slapd server encrypted ?

It should be, but it would be a good idea to check. A simple test is
to use ldapsearch with the '-ZZ' flag. If you want to check that other
clients are using encryption, either turn up the log level on slapd or
use a network snooper like tcpdump to inspect the traffic.

Don't forget that the client programs will need to know about the
server certificate (or preferably the CA certificate that signed it).
This usually means copying the PEM-format certificate file to the
client machine and appending it to a known-certs file. If your client
programs use OpenSSL the command will be something like this:

openssl x509 -in master.cert -text >> /usr/share/ssl/certs/ca-bundle.crt

(The location of the bundle file may vary depending on how OpenSSL was
installed)

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------