On Fri, 2007-11-30 at 14:17 +0000, Timothy Murphy wrote: > I'm running openldap on my desktop, > and can access it fine from my laptop. > But I'd like to use TLS encryption > (as the desktop ldap is open to the world). > > Unfortunately I find the openldap documentation > very difficult to follow. > It is almost as though they speak a different language, > say Finnish or Hungarian. > > I've followed the instructions in chapter 14, "Using TLS", > in the OpenLDAP Software 2.4 Administrator's Guide > at <http://www.openldap.org/doc/admin24/>. > I've un-commented out the lines > ----------------------------- > TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt > TLSCertificateFile /etc/pki/tls/certs/slapd.pem > TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem > ----------------------------- > and restarted "service ldap". > > But I see no evidence that this has had any effect. > I can access the ldap directory from my laptop > exactly as I did before, > even if I make the change > ----------------------------- > # TLS_REQCERT allow > TLS_REQCERT try > ----------------------------- > in ldap.conf on my laptop, > which as far as I can see (from "man ldap.conf") > should require my certificate(s) to be checked. > > But is seems to work, as I said, with or without certificates, > and I see no evidence from tcpdump that > any encryption has been requested or implemented. > > If someone who speaks openldap could enlighten me > I should be very grateful. > > Incidentally, I have avoided installing SASL authentication, > basically because I assumed that as it is comes from Cyrus > it was somehow related to Cyrus-Imap, > which caused me great grief before I moved to dovecot. > > Is SASL in fact the standard way to authenticate openldap? > I read somewhere that there are "many ways" > of authenticating openldap , > without unfortunately any particular way being suggested. > > Apologies for addressing what is probably an inappropriate forum. > I tried posting to the gmane newsgroup > mirroring the mailing list at openldap-software@xxxxxxxxxxxx > but unfortunately my postings there never appear. > > Any advice or suggestions gratefully received. ---- they don't appear because Kurt is very much the hands on moderator of the list and if you e-mail him, he will tell you probably that you are off-topic. short answer, use ldaps - even though it is deprecated. longer answer, you'll have to fight through it. self signed certs? add TLS_REQCERT to /etc/openldap/ldap.conf and /etc/ldap.conf (openldap client apps use the one in /etc/openldap folder, everything else uses the one is /etc directory) this is old, obsolete but very useful http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html Craig
