[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: no TLS connections

Fabrice Eudes wrote:
Hash: SHA1

Hello everybody,
I am quite new to ldap and i am testing locally before setting up a new
server. Unencrypted connections are all right but i have no success with
TLS connections.

My box, a laptop, is a Debian Etch, the openldap version is 2.3.30 (the
packages installed are ldap-utils, libldap-2.3-0, libldap2 and slapd).

If needed, i can give more details, but basically i followed these steps:
1) a. set up a local certification authority (CA)
   b. created a certificate for the ldap server, signed by my CA; I took
care that the Common Name is the server FQDN.
2) a. In /etc/default/slapd, i wrote
ldaps://arwen.grenier.ambre:636/" (where arwen.grenier.ambre is my
laptop FQDN)
   b. In /etc/ldap/slapd.conf, accordingly to where my files are, i wrote:
	TLSCACertificateFile    /etc/ldap/certificates/cacert.pem
	TLSCertificateFile      /etc/ldap/certificates/servercert.pem
	TLSCertificateKeyFile   /etc/ldap/certificates/serverkey.pem
	TLSVerifyClient         never
   c. In /etc/ldap/ldap.conf, i wrote:
	TLS_CACERT      /etc/ldap/certificates/cacert.pem
	TLS_REQCERT     never

I have read in openldap admin guide that the TLS_REQCERT default value
is "demand" but it isn't compulsory is it ?

If you want to have actual security, you should leave it at the default setting. I.e., don't change the TLS_REQCERT setting unless you know what you're doing.

the request  ldapsearch -H ldap://arwen.grenier.ambre -x -D
"cn=root,dc=irem,dc=univ-lille1,dc=fr" -w secret -ZZ Â seems all right
as it returns all the directory entries but in syslog (i put Âloglevel
15Â in slapd.conf) i have the following (i added some comments to easily
spot the possible errors):

None of the items you point out in the log are errors.

I am quite sure that my setup is not totally correct as, for instance, i
successfully connect to the directory from phpLDAPadmin web interface
without TLS, but can't connect with TLS (or ldaps).

And another question :-)
What's the story with TLS_CIPHER_SUITE in ldap.conf, and TLSCipherSuite
in slapd.conf ? Do they have to be set to some value ? When i read the
admin guide, i don't understand if there is a default value or not, and
there is nothing concerning these directives in the Faq-O-Matic TLS entry.

The default value depends on how your OpenSSL library was built. Read the OpenSSL documentation for more details.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/