Re: OpenLDAP in FC4: Certificate instructions refers to non-existing directory/files?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 2005-11-25 at 10:28 -0800, Daniel B. Thurman wrote:
> Hi Folks,
> 
> One of the things that made it exceedingly difficult to get LDAPS
> running on FC4 (at least for me) was that the openssl version on
> FC4 was "out of sync" with the LDAP How-To instructions explaining
> how to create a self-signed certificate so that LDAP SSL can be made
> to work.
> 
> In the many online LDAP setup instructions I have seen, the most
> common on seem refer to the CA.sh file such as the link provided
> below: 
> 
> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#6.1
> 
> But the version of openssl on FC4 does not have this directory:
> /usr/share/ssl nor does: /usr/share/ssl/misc/CA.sh exist.
> 
> I also noted that openssl in FC4 now uses /etc/pki directory instead
> of /etc/ssl (but I do see a /etc/ssh directory but is this the same as
> /etc/pki?) but otherwise is different from the openssl version used in
> FC3/2/1?  Perhaps this is not surprising but it does make it a bit
> difficult to keep up with the changing trends.
> 
> So can anyone explain what the procedure is for creating a
> self-signed certificate, how to properly setup LDAP for SSL/TLS
> support at the client and server side? The link provided above talks
> about client side certificates but it seems rather vague since it is
> not clear how exactly a client certificate should be created or if
> client certificates have to copied to other systems for which users
> will need to have in order to successfully use the LDAPS server.
> 
> Finally, does  anyone supply their own CA avoiding "trusted"
> CA sites such as Verisign/Thwait.etc.?  Is there really any
> serious problems or risk by not using them as a trusted CA
> source?

I've just been playing with this myself this last couple of days - my
first foray into LDAP.

You can create a self-signed cert for the server as follows:

# cd /etc/pki/tls/certs
# rm slapd.pem
(if there's one there, it'll probably have localhost.localdomain as the
cn and therefore be practically useless)
# make slapd.pem
# chown root:ldap slapd.pem
# chmod 640 slapd.pem

You can extract the CA cert (needed by clients) as follows, once the
server's up:

$ openssl s_client -connect your.ldap.server:636 | tee logfile
(type "QUIT", followed by the "ENTER" key)

The CA cert will be the text in logfile between the "BEGIN CERTIFICATE"
and "END CERTIFICATE" markers inclusive.

Paul.
-- 
Paul Howarth <paul@xxxxxxxxxxxx>
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux