Re: Mysteries of openldap

On Friday 30 November 2007 03:59:15 pm Timothy Murphy wrote:
Craig White wrote:
I'm running openldap on my desktop,
and can access it fine from my laptop.
But I'd like to use TLS encryption
(as the desktop ldap is open to the world).

Unfortunately I find the openldap documentation
very difficult to follow.

...

short answer, use ldaps - even though it is deprecated.

Well, thanks very much for your response.
I'll try ldaps, as you suggest.
I couldn't tell, from the documentation,
what the difference is between ldap + TLS and ldaps,
except that they seem to use different ports.

ldaps is ldap over ssl, port 636: this would be similar to using https://
instead of http://

ldap + tls is ldap using the start_tls mechanism, port 389

self signed certs? add TLS_REQCERT to /etc/openldap/ldap.conf
and /etc/ldap.conf (openldap client apps use the one in /etc/openldap
folder, everything else uses the one is /etc directory)

I hadn't realized there was a second ldap.conf .
That's just about par for the course ...

this is old, obsolete but very useful

http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html

Thanks, I had seen that but ignored it after the rather prissy warning,
"This independently authored paper is considered to have obsolete status".
But with your recommendation I'll study it closely.

Reading openldap documentation is like driving through fog.
At least one has some sense of progress,
which is more than I can say for reading sendmail docs.



--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

Attachment: signature.asc
Description: This is a digitally signed message part.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: LDAP+TLS problems
    ... Without TLS everything connects just fine, ... Make sure your private key is readable by the "ldap" user. ... then the server expects the client to present a client certificate. ... the initially unencrypted connection. ...
    (Ubuntu)
  • Re: computer account change password with Windows 2008 domain
    ... Microsoft broke password changes via the LDAP protocol with SASL GSSAPI ... In Windows 2003, provided that you didn't try to ... layer when using TLS, even though you're not trying to. ... always negotiated a privacy layer even if you haven't. ...
    (comp.protocols.kerberos)
  • Re: kmail/kaddressbook + openldap, again, sorry
    ... but when I try to enable TLS security it fails. ... I get the message "LDAP server returned the error: ... The simplest explanation would be that kaddressbook was compiled ...
    (Fedora)
  • Re: [SLE] SuSE 9.1, OpenLDAP fine as user ldap, OpenLDAP/TLS only works as user root
    ... > I'm trying to get OpenLDAP/TLS working on SuSE 9.1. ... > OpenLDAP without TLS working running as user and group ldap. ...
    (SuSE)
  • RHEL4, LDAP, TLS
    ... I have an LDAP server (running RHEL3 AS) using OpenLDAP setup to use ssl ... I have about 20 machines authenticating users via LDAP using ... I discovered that if I turn off "Use TLS" using ...
    (RedHat)