[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP issues when connecting over SSL


On 1/22/07, S Kalyanasundaram <skalyanasundaram@novell.com> wrote:

I am about to ask this one. I am googling for help to configure openldap with TLS.
And my client program should use ldap_start_tls_s for connection but with no certificate.
Any help is appreciated ,

From what I've been able to gather...

First, to establish a SSL/TLS connection, you must have a certificate, you can't do without one. Now you may very well not check the validity of the certificate. If you want your ldap client to no check the validity of the certificate, you use the following option in ldap.conf: TLS_REQCERT never the default is demand for the client The default for the openldap server is to NOT check the client certificate. You can change this behaviour with TLSVerifyClient in slapd.conf it's all explained there: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html

To force a specific level of encryption you use the option in slapd.conf:
security ssf=n update_ssf=n

Where n is the number of bits used in the encryption. ssf is for
accessing the ldap (value of 0 is no protection at all), update_ssf is
used for updating the database (add, delete, modify etc...)
I found some explanation there:
http://www.openldap.org/doc/admin23/security.html (stuff there needs
to be checked , I found that many options aren't valid with my version
of openldap 2.3.33