[Date Prev][Date Next]
first posting, question on ssl/tls configuration
- To: OpenLDAP-software@OpenLDAP.org
- Subject: first posting, question on ssl/tls configuration
- From: <email@example.com>
- Date: Tue, 8 Mar 2005 11:14:00 -0500
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=ANHECcKbf6+3LWiyASUbLWrQXGFxItZKE5WscacdTRdXym5eXtwln16DTKQRRzQQccVZBU0gNIbwT79jNb59wdPOAQRr8VsIfrtbzx5cUdjPkeGFek5BHCVOuo5Wa22GewmTqUgmS1jzS8jOY6jPR5VkSkfhitTYXigceCZ6+a0=
i am trying to configure a freebsd 5.3-release machine to be a ldap
server. i am having difficulties with the ssl/tls part. i have googled
and read documentation for hours, so please any help would be much
apreciated. I went to the FAQ (which i discuss at the bottom of the
post) and i would greatly apreciate any help or a point in the right
direction before i tear all my hair out. thanks!
can someone share why ldap without TLS is insecure and if it's a major
security risk or explain brielfy the difference. my understanding is
that many people use ldap without using ssl/tls?
i installed openldap22-client, openldap22-server, nss_ldap and pam_ldap
i can get a machine that is *not* the ldap server to search the ldap directory
[user@notservercompute ~]$ ldapsearch -h tux
# extended LDIF
# search result
result: 32 No such object
# numResponses: 1
but when i try to access it through the secure port, it fails:
[usern@notservercompute ~]$ ldapsearch -h tux -p 636
ldap_bind: Can't contact LDAP server (81)
i call ldap in the following way:
tux# /usr/local/libexec/slapd -f /usr/local/etc/openldap/slapd.conf -h
am i generating the certificates incorrectly? accordin to the O'reily
"LDAP System Administration" book i used:
i generated the certificate, but didn't seem to work. and ldap would
actually not start if i added the certificate information.
i read on http://www.openldap.org/faq/data/cache/185.html (the faq's)
about generating certifcates. so tried using CA.sh, but i got some
error messages because i'm an idiot and didn't run the "CA.sh
-newca"first. now CA.sh won't execute at all. is there a way to reset
CA.sh or any reason it's broken?
what needs to be done on the client side for the connection to be
secure? what am i doing so horribly wrong on generating the
certifcates? do i need to generate certificates on each client as well
and then add that to the client's ldap.conf file?
THANKS! i'm desperate!