Mysteries of openldap
- From: Timothy Murphy <tim@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 30 Nov 2007 14:17:44 +0000
I'm running openldap on my desktop,
and can access it fine from my laptop.
But I'd like to use TLS encryption
(as the desktop ldap is open to the world).
Unfortunately I find the openldap documentation
very difficult to follow.
It is almost as though they speak a different language,
say Finnish or Hungarian.
I've followed the instructions in chapter 14, "Using TLS",
in the OpenLDAP Software 2.4 Administrator's Guide
at <http://www.openldap.org/doc/admin24/>.
I've un-commented out the lines
-----------------------------
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
-----------------------------
and restarted "service ldap".
But I see no evidence that this has had any effect.
I can access the ldap directory from my laptop
exactly as I did before,
even if I make the change
-----------------------------
# TLS_REQCERT allow
TLS_REQCERT try
-----------------------------
in ldap.conf on my laptop,
which as far as I can see (from "man ldap.conf")
should require my certificate(s) to be checked.
But is seems to work, as I said, with or without certificates,
and I see no evidence from tcpdump that
any encryption has been requested or implemented.
If someone who speaks openldap could enlighten me
I should be very grateful.
Incidentally, I have avoided installing SASL authentication,
basically because I assumed that as it is comes from Cyrus
it was somehow related to Cyrus-Imap,
which caused me great grief before I moved to dovecot.
Is SASL in fact the standard way to authenticate openldap?
I read somewhere that there are "many ways"
of authenticating openldap ,
without unfortunately any particular way being suggested.
Apologies for addressing what is probably an inappropriate forum.
I tried posting to the gmane newsgroup
mirroring the mailing list at openldap-software@xxxxxxxxxxxx
but unfortunately my postings there never appear.
Any advice or suggestions gratefully received.
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
- Follow-Ups:
- Re: Mysteries of openldap
- From: Craig White
- Re: Mysteries of openldap
- Prev by Date: Re: FC7 on my lappy, F8 dvd in drive, fresh powerup
- Next by Date: Re: Fedora and Ubuntu
- Previous by thread: Kickstart and DHCP
- Next by thread: Re: Mysteries of openldap
- Index(es):
Relevant Pages
- Re: Mysteries of openldap
... (as the desktop ldap is open to the world). ... in the OpenLDAP Software
2.4 Administrator's Guide ... I can access the ldap directory from my laptop ...
enforce TLS encryption with the search. ... (Fedora) - Re: Mysteries of openldap
... But I'd like to use TLS encryption ... (as the desktop ldap is open to
the world). ... in the OpenLDAP Software 2.4 Administrator's Guide ... I can access
the ldap directory from my laptop ... (Fedora) - openldap, pam_ldap and nss_ldap
... I am having difficulties setting up openldap user authentication using ... (but
he was using the native sun ldap clients) ... # with Netscape Directory Server)
... # Netscape SDK SSL options ... (SunManagers) - Re: whats next for the linux kernel?
... OpenLDAP now has dynamic config but the ... send the line "unsubscribe
linux-kernel" in ... (Linux-Kernel) - Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?
... OpenLDAP is openldap-server-2.3.38, standard config, no SASL support or anything else
apart from default ... # nsswitch.conf- name service switch configuration file ...
passwd: files ldap ... I have a problem with setting up an FreeBSD box as OpenLDAP server
with several services, like SAMBA, NFS. ... (freebsd-questions)
