Re: Mysteries of openldap
- From: Craig White <craig@xxxxxxxxxxxxx>
- Date: Fri, 30 Nov 2007 09:56:13 -0700
On Fri, 2007-11-30 at 14:17 +0000, Timothy Murphy wrote:
I'm running openldap on my desktop,----
and can access it fine from my laptop.
But I'd like to use TLS encryption
(as the desktop ldap is open to the world).
Unfortunately I find the openldap documentation
very difficult to follow.
It is almost as though they speak a different language,
say Finnish or Hungarian.
I've followed the instructions in chapter 14, "Using TLS",
in the OpenLDAP Software 2.4 Administrator's Guide
at <http://www.openldap.org/doc/admin24/>.
I've un-commented out the lines
-----------------------------
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
-----------------------------
and restarted "service ldap".
But I see no evidence that this has had any effect.
I can access the ldap directory from my laptop
exactly as I did before,
even if I make the change
-----------------------------
# TLS_REQCERT allow
TLS_REQCERT try
-----------------------------
in ldap.conf on my laptop,
which as far as I can see (from "man ldap.conf")
should require my certificate(s) to be checked.
But is seems to work, as I said, with or without certificates,
and I see no evidence from tcpdump that
any encryption has been requested or implemented.
If someone who speaks openldap could enlighten me
I should be very grateful.
Incidentally, I have avoided installing SASL authentication,
basically because I assumed that as it is comes from Cyrus
it was somehow related to Cyrus-Imap,
which caused me great grief before I moved to dovecot.
Is SASL in fact the standard way to authenticate openldap?
I read somewhere that there are "many ways"
of authenticating openldap ,
without unfortunately any particular way being suggested.
Apologies for addressing what is probably an inappropriate forum.
I tried posting to the gmane newsgroup
mirroring the mailing list at openldap-software@xxxxxxxxxxxx
but unfortunately my postings there never appear.
Any advice or suggestions gratefully received.
they don't appear because Kurt is very much the hands on moderator of
the list and if you e-mail him, he will tell you probably that you are
off-topic.
short answer, use ldaps - even though it is deprecated.
longer answer, you'll have to fight through it.
self signed certs? add TLS_REQCERT to /etc/openldap/ldap.conf
and /etc/ldap.conf (openldap client apps use the one in /etc/openldap
folder, everything else uses the one is /etc directory)
this is old, obsolete but very useful
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
Craig
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
- Follow-Ups:
- Re: Mysteries of openldap
- From: Timothy Murphy
- Re: Mysteries of openldap
- From: Anthony Messina
- Re: Mysteries of openldap
- References:
- Mysteries of openldap
- From: Timothy Murphy
- Mysteries of openldap
- Prev by Date: Re: F8 resists to be installed
- Next by Date: Fan runs constantly on (Acer TravelMate 4602WLMi ) Please help me.
- Previous by thread: Mysteries of openldap
- Next by thread: Re: Mysteries of openldap
- Index(es):
Relevant Pages
|
