[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL based LDAP client verification

On Wed, Oct 07, 2015 at 02:13:38AM +0500, Aneela Saleem wrote:

> I have followed this link to generate self-signed certificates. I have
> successfully performed server side validation.

I assume that means that you have made an SSL or TLS connection to the server
and done an LDAP operation, so this operation should succeed:

	ldapwhoami -x -H ldap://my.server.com/ -ZZ

If it does not, you may need to specify the TLS_CACERT location in
/etc/openldap/ldap.conf or temporarily provide the cert location in the
environment:

LDAPTLS_CACERT=/path/to/ca.crt ldapwhoami -x -H ldap://my.server.com/ -ZZ

Don't start trying to use any other clients until you have the command-line
ones working properly.

> What if i want to access LDAPS:/
> / from other client. I have copied servercrt.pem and serverkey.pem file on
> client machine, also added servercrt.pem file to client trust store. I'm using

NO! Don't ever give clients the secret key.

Assuming you followed http://www.openldap.org/faq/data/cache/185.html fully you
created two certificates: a master CA cert and a server-specific cert. You can
use the CA cert to create as many server certs as you like, and client machines
only need a copy of the CA cert to verify trust.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------