[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP client TLS configuration

"Dan O'Reilly" <dano@process.com> writes:

> At 01:48 PM 9/21/2006, Kurt D. Zeilenga wrote:
>>At 12:00 PM 9/21/2006, Dan O'Reilly wrote:
>> >I'm trying to get an OpenLDAP client to use TLS to talk to
>> (non-OpenLDAP) LDAP server.  This LDAP server is properly configured
>> for TLS (as verified by other (non-OpenLDAP) LDAP clients).
>>Verify the server is configured properly for LDAP over TLS (ldaps://)
>>using the OpenSSL s_client program (with certificate verification
> Well, I guess the specific question I would have here is "what
> certificates/keys/etc are even required for this?".  When setting up
> the LDAP server I was told by the people who supply it that I would
> need only a trusted root certificate from the LDAP server to do
> authentication, but I was also told by another person at that company
> that I would need more than just that one certificate.  What
> specifically would LDAP need?  I suspect my problem isn't really so
> much one of a misconfigured server so much as not having all the
> necessary certs and/or keys available, that sort of thing.

That depends on what you intent to do.
You have three choices:

- mere transport encription
- trust relation client --> server
- mutual trust relation client <--> server

In most cases you will opt for integrity checks of the client. 
For this you have to either create or apply for a certifcate authority
(CA), create a server certificate and sign this with your CA.
The client has to have knowledge of and access to the CA, while the
server has to present the server certificate.


Dieter Klünter | Systemberatung