Re: Mysteries of openldap
- From: Anthony Messina <amessina@xxxxxxxxxxxx>
- Date: Fri, 30 Nov 2007 15:36:57 -0600
On Friday 30 November 2007 10:56:13 am Craig White wrote:
On Fri, 2007-11-30 at 14:17 +0000, Timothy Murphy wrote:
I'm running openldap on my desktop,
and can access it fine from my laptop.
But I'd like to use TLS encryption
(as the desktop ldap is open to the world).
Unfortunately I find the openldap documentation
very difficult to follow.
It is almost as though they speak a different language,
say Finnish or Hungarian.
I've followed the instructions in chapter 14, "Using TLS",
in the OpenLDAP Software 2.4 Administrator's Guide
at <http://www.openldap.org/doc/admin24/>.
I've un-commented out the lines
-----------------------------
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
-----------------------------
and restarted "service ldap".
But I see no evidence that this has had any effect.
I can access the ldap directory from my laptop
exactly as I did before,
even if I make the change
-----------------------------
# TLS_REQCERT allow
TLS_REQCERT try
-----------------------------
in ldap.conf on my laptop,
which as far as I can see (from "man ldap.conf")
should require my certificate(s) to be checked.
But is seems to work, as I said, with or without certificates,
and I see no evidence from tcpdump that
any encryption has been requested or implemented.
If someone who speaks openldap could enlighten me
I should be very grateful.
Incidentally, I have avoided installing SASL authentication,
basically because I assumed that as it is comes from Cyrus
it was somehow related to Cyrus-Imap,
which caused me great grief before I moved to dovecot.
Is SASL in fact the standard way to authenticate openldap?
I read somewhere that there are "many ways"
of authenticating openldap ,
without unfortunately any particular way being suggested.
Apologies for addressing what is probably an inappropriate forum.
I tried posting to the gmane newsgroup
mirroring the mailing list at openldap-software@xxxxxxxxxxxx
but unfortunately my postings there never appear.
Any advice or suggestions gratefully received.
----
they don't appear because Kurt is very much the hands on moderator of
the list and if you e-mail him, he will tell you probably that you are
off-topic.
short answer, use ldaps - even though it is deprecated.
longer answer, you'll have to fight through it.
self signed certs? add TLS_REQCERT to /etc/openldap/ldap.conf
and /etc/ldap.conf (openldap client apps use the one in /etc/openldap
folder, everything else uses the one is /etc directory)
this is old, obsolete but very useful
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
Craig
if you're doing a command line test like ldapsearch, you'll have to add -ZZ to
enforce TLS encryption with the search.
--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
Attachment:
signature.asc
Description: This is a digitally signed message part.
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
- References:
- Mysteries of openldap
- From: Timothy Murphy
- Re: Mysteries of openldap
- From: Craig White
- Mysteries of openldap
- Prev by Date: Re: Recursive diff?
- Next by Date: Fedora software to process "egg" photographs?
- Previous by thread: Re: Mysteries of openldap
- Next by thread: Re: Mysteries of openldap
- Index(es):
Relevant Pages
|
|
