[Date Prev][Date Next] [Chronological] [Thread] [Top]

first posting, question on ssl/tls configuration

To: OpenLDAP-software@OpenLDAP.org
Subject: first posting, question on ssl/tls configuration
From: <redredpanda@gmail.com>
Date: Tue, 8 Mar 2005 11:14:00 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=ANHECcKbf6+3LWiyASUbLWrQXGFxItZKE5WscacdTRdXym5eXtwln16DTKQRRzQQccVZBU0gNIbwT79jNb59wdPOAQRr8VsIfrtbzx5cUdjPkeGFek5BHCVOuo5Wa22GewmTqUgmS1jzS8jOY6jPR5VkSkfhitTYXigceCZ6+a0=

Hi,

i am trying to configure a freebsd  5.3-release machine to be a ldap
server. i am having difficulties with the ssl/tls part. i have googled
and read documentation for hours, so please any help would be much
apreciated. I went to the FAQ (which i discuss at the bottom of the
post) and i would greatly apreciate any help or a point in the right
direction before i tear all my hair out. thanks!

can someone share why ldap without TLS is insecure and if it's a major
security risk or explain brielfy the difference. my understanding is
that many people use ldap without using ssl/tls?


  i installed openldap22-client, openldap22-server, nss_ldap and pam_ldap 
  through ports.  

  i can get a machine that is *not* the ldap server to search the ldap directory

        [user@notservercompute ~]$ ldapsearch -h tux
        # extended LDIF
        # search result
        search: 2
        result: 32 No such object
        # numResponses: 1

   but when i try to access it through the secure port, it fails:

         [usern@notservercompute ~]$ ldapsearch -h tux -p 636
          ldap_bind: Can't contact LDAP server (81)

i call ldap in the following way: 

tux# /usr/local/libexec/slapd -f /usr/local/etc/openldap/slapd.conf -h
"ldaps:/// ldap:///";

am i generating the certificates incorrectly? accordin to the O'reily
"LDAP System Administration"  book i used:

    #CA.pl -newcert

i generated the certificate, but didn't seem to work. and ldap would
actually not start if i added the certificate information.

i read on http://www.openldap.org/faq/data/cache/185.html (the faq's)
about generating certifcates. so tried using CA.sh, but i got some
error messages because i'm an idiot and didn't run the "CA.sh
-newca"first. now CA.sh won't execute at all. is there a way to reset
CA.sh or any reason it's broken?

what needs to be done on the client side for the connection to be
secure?  what am i doing so horribly wrong on generating the
certifcates? do i need to generate certificates on each client as well
and then add that to the client's ldap.conf file?

THANKS! i'm desperate!

_panda

Prev by Date: Double colon in LDIF
Next by Date: Re: multiple structural schemas not allowed (major differences between openldap 2.0.23 and 2.1.30)
Index(es):
- Chronological
- Thread