[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Newbie OpenLDAP/SSL/Certificates question (now works)

Stefan Champailler wrote:

I managed to get it working (well, I think, future will tell more).

I'd like to point out two things that, IMHO, are quite "hidden" in the natural places where one looks for information (how-to's, faq). Could someone be kind enough to tell me if those statements are correct ? If so, I'll fill a change request so that the documentation gets updated a bit.

- white spaces at the end of a line have special meaning in ldif files. So if they are unnecessary, remove them (otherwise say hello to the problems)

All white space is significant. There are explicit statements that white space is significant, so for you to assume otherwise makes no sense.

- TLS_CERT / TLS_KEY must appear in .ldaprc, NOT in ldap.conf. In the man page of ldap.conf, it is said that these options are "user only". The hard part is that it translates to "these options can only appear in .ldaprc".

The ldap.conf(5) man page explicitly states

      Some options are user-only.  Such options are  ignored  if
      present  in the ldap.conf (or file specified by LDAPCONF).

- If one wants to make a "fully-localhost" test (that is, everything run on localhost, without access to the web, a DNS or whatever), then he has to set its host name to something that can be recognized as a FQDN (for exmaple, localhost.love.com). This is particularly an issue when one wants to use SSL/TSL with certificates. The client/server certificates needs to have their CN set to the FQDN of the machine they run on. However, "localhost" is not a valid FQDN therefore making certificates with CN=localhost won't work. So one has to find a way to name its machine with a proper FQDN, for example localhost.love.com. To achieve that, the simplest way is to set the hostname of the machine to the FQDN (on my debian, I put "localhost.love.com" as the sole content of /etc/hostname). And one has to make sure that FQDN can be resolved to an IP, for that I used " localhost.love.com" in my /etc/hosts.

I routinely use certs with cn=localhost for testing. All that matters is that "localhost" is a valid recognized hostname in whatever name resolution mechanism you happen to be using. For most purposes, having " localhost" in /etc/hosts is sufficient.

 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support