[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Confused about configuring TLS



On Fri, 23 Jan 2009 17:03:26 +0100, Nathan Huesken <ldap@lonely-star.org>
wrote:
> Hi,
> 
> I want to use TLS on my slapd, which uses the slapd.d config way.
> On this page:
> http://www.openldap.org/doc/admin24/tls.html
> I find a discription of how to do it if one uses a slapd.conf. But how
does
> it work with slapd.d?

A general good way is to generate the appropriate slapd.conf and then use
the slaptest command (with both -f and -F options) to generate the
corresponding slapd.d directory (and sub-directories) ; then you can write
your own ldif to load on your already running openldap.

More specically to TLS, here are some of the attribute you have to put in
the cn=config.ldif file ate the first level of the slapd.d directory :

olcTLSCACertificateFile: /usr/local/etc/openldap/cacert.pem
olcTLSCertificateFile: /usr/local/etc/openldap/slapd.cert
olcTLSCertificateKeyFile: /usr/local/etc/openldap/slapd.key
olcTLSCRLCheck: none
olcTLSVerifyClient: never

If your doing multimaster replication, be sure that the filenames of
certificate and key are identical, despite that each server must have its
own certificate (use symlink - not my idea).

> Thanks!
> Nathan

Hope it can help,
Sincerely yours, Mathieu MILLET.

-- 
Mathieu MILLET
mailto:ldap@htam.net
----