[Date Prev][Date Next]
Re: no TLS connections
Fabrice Eudes wrote:
-----BEGIN PGP SIGNED MESSAGE-----
I am quite new to ldap and i am testing locally before setting up a new
server. Unencrypted connections are all right but i have no success with
My box, a laptop, is a Debian Etch, the openldap version is 2.3.30 (the
packages installed are ldap-utils, libldap-2.3-0, libldap2 and slapd).
If needed, i can give more details, but basically i followed these steps:
1) a. set up a local certification authority (CA)
b. created a certificate for the ldap server, signed by my CA; I took
care that the Common Name is the server FQDN.
2) a. In /etc/default/slapd, i wrote
ldaps://arwen.grenier.ambre:636/" (where arwen.grenier.ambre is my
b. In /etc/ldap/slapd.conf, accordingly to where my files are, i wrote:
c. In /etc/ldap/ldap.conf, i wrote:
I have read in openldap admin guide that the TLS_REQCERT default value
is "demand" but it isn't compulsory is it ?
If you want to have actual security, you should leave it at the default
setting. I.e., don't change the TLS_REQCERT setting unless you know what
the request Â ldapsearch -H ldap://arwen.grenier.ambre -x -D
"cn=root,dc=irem,dc=univ-lille1,dc=fr" -w secret -ZZ Â seems all right
as it returns all the directory entries but in syslog (i put Âloglevel
15Â in slapd.conf) i have the following (i added some comments to easily
spot the possible errors):
None of the items you point out in the log are errors.
I am quite sure that my setup is not totally correct as, for instance, i
successfully connect to the directory from phpLDAPadmin web interface
without TLS, but can't connect with TLS (or ldaps).
And another question :-)
What's the story with TLS_CIPHER_SUITE in ldap.conf, and TLSCipherSuite
in slapd.conf ? Do they have to be set to some value ? When i read the
admin guide, i don't understand if there is a default value or not, and
there is nothing concerning these directives in the Faq-O-Matic TLS entry.
The default value depends on how your OpenSSL library was built. Read
the OpenSSL documentation for more details.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/