[Date Prev][Date Next]
Re: Newbie OpenLDAP/SSL/Certificates question (now works)
Stefan Champailler wrote:
All white space is significant. There are explicit statements that white
space is significant, so for you to assume otherwise makes no sense.
I managed to get it working (well, I think, future will tell more).
I'd like to point out two things that, IMHO, are quite "hidden" in the natural
places where one looks for information (how-to's, faq). Could someone be kind
enough to tell me if those statements are correct ? If so, I'll fill a change
request so that the documentation gets updated a bit.
- white spaces at the end of a line have special meaning in ldif files. So if
they are unnecessary, remove them (otherwise say hello to the problems)
- TLS_CERT / TLS_KEY must appear in .ldaprc, NOT in ldap.conf. In the man page
of ldap.conf, it is said that these options are "user only". The hard part is
that it translates to "these options can only appear in .ldaprc".
The ldap.conf(5) man page explicitly states
Some options are user-only. Such options are ignored if
present in the ldap.conf (or file specified by LDAPCONF).
- If one wants to make a "fully-localhost" test (that is, everything run on
localhost, without access to the web, a DNS or whatever), then he has to set
its host name to something that can be recognized as a FQDN (for exmaple,
localhost.love.com). This is particularly an issue when one wants to use
SSL/TSL with certificates. The client/server certificates needs to have their
CN set to the FQDN of the machine they run on. However, "localhost" is not a
valid FQDN therefore making certificates with CN=localhost won't work. So one
has to find a way to name its machine with a proper FQDN, for example
localhost.love.com. To achieve that, the simplest way is to set the hostname
of the machine to the FQDN (on my debian, I put "localhost.love.com" as the
sole content of /etc/hostname). And one has to make sure that FQDN can be
resolved to an IP, for that I used "127.0.0.1 localhost.love.com" in
my /etc/hosts.I routinely use certs with cn=localhost for testing. All that matters is
that "localhost" is a valid recognized hostname in whatever name
resolution mechanism you happen to be using. For most purposes, having
"127.0.0.1 localhost" in /etc/hosts is sufficient.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support