Re: OpenLDAP client TLS configuration

["Dieter Kluenter" <dieter@dkluenter.de>]

"Dan O'Reilly" <dano@process.com> writes:

> At 01:48 PM 9/21/2006, Kurt D. Zeilenga wrote:
>>At 12:00 PM 9/21/2006, Dan O'Reilly wrote:
>> >I'm trying to get an OpenLDAP client to use TLS to talk to
>> (non-OpenLDAP) LDAP server.  This LDAP server is properly configured
>> for TLS (as verified by other (non-OpenLDAP) LDAP clients).
>>
>>Verify the server is configured properly for LDAP over TLS (ldaps://)
>>using the OpenSSL s_client program (with certificate verification
>>enabled).
>
> Well, I guess the specific question I would have here is "what
> certificates/keys/etc are even required for this?".  When setting up
> the LDAP server I was told by the people who supply it that I would
> need only a trusted root certificate from the LDAP server to do
> authentication, but I was also told by another person at that company
> that I would need more than just that one certificate.  What
> specifically would LDAP need?  I suspect my problem isn't really so
> much one of a misconfigured server so much as not having all the
> necessary certs and/or keys available, that sort of thing.

That depends on what you intent to do.
You have three choices:

- mere transport encription
- trust relation client --> server
- mutual trust relation client <--> server

In most cases you will opt for integrity checks of the client. 
For this you have to either create or apply for a certifcate authority
(CA), create a server certificate and sign this with your CA.
The client has to have knowledge of and access to the CA, while the
server has to present the server certificate.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6