>From: fedora-list-bounces@xxxxxxxxxx >[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Paul Howarth >Sent: Friday, November 25, 2005 10:42 AM >To: For users of Fedora Core releases >Subject: Re: OpenLDAP in FC4: Certificate instructions refers >tonon-existing directory/files? > > >On Fri, 2005-11-25 at 10:28 -0800, Daniel B. Thurman wrote: >> Hi Folks, >> >> One of the things that made it exceedingly difficult to get LDAPS >> running on FC4 (at least for me) was that the openssl version on >> FC4 was "out of sync" with the LDAP How-To instructions explaining >> how to create a self-signed certificate so that LDAP SSL can be made >> to work. >> >> In the many online LDAP setup instructions I have seen, the most >> common on seem refer to the CA.sh file such as the link provided >> below: >> >> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#6.1 >> >> But the version of openssl on FC4 does not have this directory: >> /usr/share/ssl nor does: /usr/share/ssl/misc/CA.sh exist. >> >> I also noted that openssl in FC4 now uses /etc/pki directory instead >> of /etc/ssl (but I do see a /etc/ssh directory but is this >the same as >> /etc/pki?) but otherwise is different from the openssl >version used in >> FC3/2/1? Perhaps this is not surprising but it does make it a bit >> difficult to keep up with the changing trends. >> >> So can anyone explain what the procedure is for creating a >> self-signed certificate, how to properly setup LDAP for SSL/TLS >> support at the client and server side? The link provided above talks >> about client side certificates but it seems rather vague since it is >> not clear how exactly a client certificate should be created or if >> client certificates have to copied to other systems for which users >> will need to have in order to successfully use the LDAPS server. >> >> Finally, does anyone supply their own CA avoiding "trusted" >> CA sites such as Verisign/Thwait.etc.? Is there really any >> serious problems or risk by not using them as a trusted CA >> source? > >I've just been playing with this myself this last couple of days - my >first foray into LDAP. > >You can create a self-signed cert for the server as follows: > ># cd /etc/pki/tls/certs ># rm slapd.pem >(if there's one there, it'll probably have localhost.localdomain as the >cn and therefore be practically useless) ># make slapd.pem ># chown root:ldap slapd.pem ># chmod 640 slapd.pem > >You can extract the CA cert (needed by clients) as follows, once the >server's up: > >$ openssl s_client -connect your.ldap.server:636 | tee logfile >(type "QUIT", followed by the "ENTER" key) > >The CA cert will be the text in logfile between the "BEGIN CERTIFICATE" >and "END CERTIFICATE" markers inclusive. > >Paul. Super! But I need to figure out how to obtain/set for LDAP in the /etc/openldap/slapd.conf: TLSCACertificateFile /etc/pki/tls/certs/slapd.pem TLSCertificateFile /etc/pki/tls/certs/slapd.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem Do I set it as shown above? Thanks! Dan -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.7/182 - Release Date: 11/24/2005
