On Friday 30 November 2007 10:56:13 am Craig White wrote: > On Fri, 2007-11-30 at 14:17 +0000, Timothy Murphy wrote: > > I'm running openldap on my desktop, > > and can access it fine from my laptop. > > But I'd like to use TLS encryption > > (as the desktop ldap is open to the world). > > > > Unfortunately I find the openldap documentation > > very difficult to follow. > > It is almost as though they speak a different language, > > say Finnish or Hungarian. > > > > I've followed the instructions in chapter 14, "Using TLS", > > in the OpenLDAP Software 2.4 Administrator's Guide > > at <http://www.openldap.org/doc/admin24/>. > > I've un-commented out the lines > > ----------------------------- > > TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt > > TLSCertificateFile /etc/pki/tls/certs/slapd.pem > > TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem > > ----------------------------- > > and restarted "service ldap". > > > > But I see no evidence that this has had any effect. > > I can access the ldap directory from my laptop > > exactly as I did before, > > even if I make the change > > ----------------------------- > > # TLS_REQCERT allow > > TLS_REQCERT try > > ----------------------------- > > in ldap.conf on my laptop, > > which as far as I can see (from "man ldap.conf") > > should require my certificate(s) to be checked. > > > > But is seems to work, as I said, with or without certificates, > > and I see no evidence from tcpdump that > > any encryption has been requested or implemented. > > > > If someone who speaks openldap could enlighten me > > I should be very grateful. > > > > Incidentally, I have avoided installing SASL authentication, > > basically because I assumed that as it is comes from Cyrus > > it was somehow related to Cyrus-Imap, > > which caused me great grief before I moved to dovecot. > > > > Is SASL in fact the standard way to authenticate openldap? > > I read somewhere that there are "many ways" > > of authenticating openldap , > > without unfortunately any particular way being suggested. > > > > Apologies for addressing what is probably an inappropriate forum. > > I tried posting to the gmane newsgroup > > mirroring the mailing list at openldap-software@xxxxxxxxxxxx > > but unfortunately my postings there never appear. > > > > Any advice or suggestions gratefully received. > > ---- > they don't appear because Kurt is very much the hands on moderator of > the list and if you e-mail him, he will tell you probably that you are > off-topic. > > short answer, use ldaps - even though it is deprecated. > > longer answer, you'll have to fight through it. > > self signed certs? add TLS_REQCERT to /etc/openldap/ldap.conf > and /etc/ldap.conf (openldap client apps use the one in /etc/openldap > folder, everything else uses the one is /etc directory) > > this is old, obsolete but very useful > > http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html > > Craig if you're doing a command line test like ldapsearch, you'll have to add -ZZ to enforce TLS encryption with the search. -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
Attachment:
signature.asc
Description: This is a digitally signed message part.