Mysteries of openldap

Fri Nov 30 21:36:57 UTC 2007

On Friday 30 November 2007 10:56:13 am Craig White wrote:
> On Fri, 2007-11-30 at 14:17 +0000, Timothy Murphy wrote:
> > I'm running openldap on my desktop,
> > and can access it fine from my laptop.
> > But I'd like to use TLS encryption
> > (as the desktop ldap is open to the world).
> >
> > Unfortunately I find the openldap documentation
> > very difficult to follow.
> > It is almost as though they speak a different language,
> > say Finnish or Hungarian.
> >
> > I've followed the instructions in chapter 14, "Using TLS",
> > in the OpenLDAP Software 2.4 Administrator's Guide
> > at <http://www.openldap.org/doc/admin24/>.
> > I've un-commented out the lines
> > -----------------------------
> > TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
> > TLSCertificateFile /etc/pki/tls/certs/slapd.pem
> > TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
> > -----------------------------
> > and restarted "service ldap".
> >
> > But I see no evidence that this has had any effect.
> > I can access the ldap directory from my laptop
> > exactly as I did before,
> > even if I make the change
> > -----------------------------
> > # TLS_REQCERT allow
> > TLS_REQCERT try
> > -----------------------------
> > in ldap.conf on my laptop,
> > which as far as I can see (from "man ldap.conf")
> > should require my certificate(s) to be checked.
> >
> > But is seems to work, as I said, with or without certificates,
> > and I see no evidence from tcpdump that
> > any encryption has been requested or implemented.
> >
> > If someone who speaks openldap could enlighten me
> > I should be very grateful.
> >
> > Incidentally, I have avoided installing SASL authentication,
> > basically because I assumed that as it is comes from Cyrus
> > it was somehow related to Cyrus-Imap,
> > which caused me great grief before I moved to dovecot.
> >
> > Is SASL in fact the standard way to authenticate openldap?
> > I read somewhere that there are "many ways"
> > of authenticating openldap ,
> > without unfortunately any particular way being suggested.
> >
> > Apologies for addressing what is probably an inappropriate forum.
> > I tried posting to the gmane newsgroup
> > mirroring the mailing list at openldap-software at openldap.org
> > but unfortunately my postings there never appear.
> >
> > Any advice or suggestions gratefully received.
>
> ----
> they don't appear because Kurt is very much the hands on moderator of
> the list and if you e-mail him, he will tell you probably that you are
> off-topic.
>
> short answer, use ldaps - even though it is deprecated.
>
> longer answer, you'll have to fight through it.
>
> self signed certs?  add TLS_REQCERT to /etc/openldap/ldap.conf
> and /etc/ldap.conf (openldap client apps use the one in /etc/openldap
> folder, everything else uses the one is /etc directory)
>
> this is old, obsolete but very useful
>
> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
>
> Craig

if you're doing a command line test like ldapsearch, you'll have to add -ZZ to 
enforce TLS encryption with the search.

-- 
Anthony -  http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20071130/07416969/attachment-0001.sig>