OpenLDAP in FC4: Certificate instructions refers to non-existing directory/files?
Paul Howarth
paul at city-fan.org
Fri Nov 25 18:41:43 UTC 2005
On Fri, 2005-11-25 at 10:28 -0800, Daniel B. Thurman wrote:
> Hi Folks,
>
> One of the things that made it exceedingly difficult to get LDAPS
> running on FC4 (at least for me) was that the openssl version on
> FC4 was "out of sync" with the LDAP How-To instructions explaining
> how to create a self-signed certificate so that LDAP SSL can be made
> to work.
>
> In the many online LDAP setup instructions I have seen, the most
> common on seem refer to the CA.sh file such as the link provided
> below:
>
> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#6.1
>
> But the version of openssl on FC4 does not have this directory:
> /usr/share/ssl nor does: /usr/share/ssl/misc/CA.sh exist.
>
> I also noted that openssl in FC4 now uses /etc/pki directory instead
> of /etc/ssl (but I do see a /etc/ssh directory but is this the same as
> /etc/pki?) but otherwise is different from the openssl version used in
> FC3/2/1? Perhaps this is not surprising but it does make it a bit
> difficult to keep up with the changing trends.
>
> So can anyone explain what the procedure is for creating a
> self-signed certificate, how to properly setup LDAP for SSL/TLS
> support at the client and server side? The link provided above talks
> about client side certificates but it seems rather vague since it is
> not clear how exactly a client certificate should be created or if
> client certificates have to copied to other systems for which users
> will need to have in order to successfully use the LDAPS server.
>
> Finally, does anyone supply their own CA avoiding "trusted"
> CA sites such as Verisign/Thwait.etc.? Is there really any
> serious problems or risk by not using them as a trusted CA
> source?
I've just been playing with this myself this last couple of days - my
first foray into LDAP.
You can create a self-signed cert for the server as follows:
# cd /etc/pki/tls/certs
# rm slapd.pem
(if there's one there, it'll probably have localhost.localdomain as the
cn and therefore be practically useless)
# make slapd.pem
# chown root:ldap slapd.pem
# chmod 640 slapd.pem
You can extract the CA cert (needed by clients) as follows, once the
server's up:
$ openssl s_client -connect your.ldap.server:636 | tee logfile
(type "QUIT", followed by the "ENTER" key)
The CA cert will be the text in logfile between the "BEGIN CERTIFICATE"
and "END CERTIFICATE" markers inclusive.
Paul.
--
Paul Howarth <paul at city-fan.org>
More information about the fedora-list
mailing list