[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Configuring slapd.conf for SSL



Hi,

Would anyone know if there is a problem with teh slapd file below? I
enabled the TLSXXX variables but it seems there is something else that
needs to be done.

Any help would be appreciated. Or, in short, if someone has
instructions on the slapd changes to be made, and any flags that need
to be set when launching slapd, that would help.

Thanks in advance,
Safdar

On 4/21/05, Safdar Kureishy <safdar.kureishy@gmail.com> wrote:
> Thanks Nick. I was actually trying to enable SSL on a working vanilla
> server, so yes, the server worked before I tried to enable SSL. Here's
> the complete slapd.conf file.
> 
> Thanks for your help.
> 
> Regards,
> Safdar
> 
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> ucdata-path     "C:/Program Files/Openldap-secure/ucdata"
> include         "C:/Program Files/Openldap-secure/etc/schema/core.schema"
> 
> # Define global ACLs to disable default read access.
> 
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral       ldap://root.openldap.org
> 
> pidfile         "C:/Program Files/Openldap-secure/var/run/slapd.pid"
> argsfile        "C:/Program Files/Openldap-secure/var/run/slapd.args"
> 
> # Load dynamic backend modules:
> # modulepath    "C:/Program Files/Openldap-secure/libexec/openldap"
> # moduleload    back_bdb.la
> # moduleload    back_ldap.la
> # moduleload    back_ldbm.la
> # moduleload    back_passwd.la
> # moduleload    back_shell.la
> 
> # Enable TLS if port is defined for ldaps
> TLSVerifyClient never
> TLSCertificateFile "C:/Program Files/OpenLDAP-secure/certs/server.pem"
> TLSCertificateKeyFile "C:/Program Files/OpenLDAP-secure/certs/serverkey.pem"
> TLSCACertificateFile "C:/Program Files/OpenLDAP-secure/certs/CA.pem"
> 
> # Sample security restrictions
> #       Require integrity protection (prevent hijacking)
> #       Require 112-bit (3DES or better) encryption for updates
> #       Require 63-bit encryption for simple bind
> # security ssf=1 update_ssf=112 simple_bind=64
> 
> # Sample access control policy:
> #       Root DSE: allow anyone to read it
> #       Subschema (sub)entry DSE: allow anyone to read it
> #       Other DSEs:
> #               Allow self write access
> #               Allow authenticated users read access
> #               Allow anonymous users to authenticate
> #       Directives needed to implement policy:
> # access to dn.base="" by * read
> # access to dn.base="cn=Subschema" by * read
> # access to *
> #       by self write
> #       by users read
> #       by anonymous auth
> #
> # if no access controls are present, the default policy
> # allows anyone and everyone to read anything but restricts
> # updates to rootdn.  (e.g., "access to * by * read")
> #
> # rootdn can always read and write EVERYTHING!
> 
> #######################################################################
> # BDB database definitions
> #######################################################################
> 
> database        bdb
> suffix          "dc=mycompany,dc=com"
> rootdn          "cn=Manager,dc=mycompany,dc=com"
> 
> # Cleartext passwords, especially for the rootdn, should
> # be avoid.  See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> rootpw          password
> 
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory       "C:/Program Files/Openldap-secure/var/openldap-data"
> # Indices to maintain
> index   objectClass     eq
> 
> 
> On 4/21/05, Nick Bernstein <nbernstein@frontbridge.com> wrote:
> > On Thu, 2005-04-21 at 10:44 -0700, Safdar Kureishy wrote:
> > > Hi,
> > >
> > > I installed the windows version of OpenLDAP and am trying to configure
> > > SSL. Here is what I have added into my slapd.conf. However, when I try
> > > to connect to it using ldapbrowser, I get a connection failure. I
> > > tried both 636 and 389, but neither of the ports are working. On 636
> > > actually the ldapbrowser hangs for a minute, I guess trying to
> > > establish a connection, but then it finally fails
> >
> > I think you migh be approaching this wrong: try removing all of the ssl
> > stuff and get it working in it's most simple form first, then keep
> > adding features to it little by little verifying that each step works
> > along the way. That way, if ssl is causing problems, you can verify that
> > it is the ssl, and not some other configuraton error. Also, I'd post
> > your entire slapd.conf and any relevant log files - also, look at what
> > your firewall is doing to see if it's allowing those hosts.
> >
> > good luck,
> > Nick
> >
> > FrontBridge introduces Message Archive and Secure Email. Get leading Enterprise Message Security services from FrontBridge. www.frontbridge.com.
> >
> >
>