Openldap TLS/SSL

Graeme Mathieson mathie+uk-freebsd-users at wossname.org.uk
Thu Oct 24 10:41:10 BST 2002


On Fri, Oct 18, 2002 at 04:20:32PM +0100, Rodney Edwards wrote:
> 
> Has any one got openldap using TLS/SSL on FreeBSD4.6 working.

OK, the following is from the LDAP server I have running on *cough*
Debian *cough* but I guess the principle should be the same.  Getting an
LDAP server running on FreeBSD 4.7 is this weekend's task, funnily
enough...

> I've installed
> openldap2 and openssl from ports and my slapd.conf is as the man page says.
> I've self signed my certificates and they have tested o.k. on Apache, but
> when using them with openldap it starts up asks you for the pass but just
> doesn't use TLS/SSL.

Are you telling slapd to listen for SSL connections?  It certainly
didn't do it for me by default.  I have the following to start it:

slapd -h "ldap:/// ldaps:///"

Though thinking about it now, that's probably just to get it to listen
on the SSL-wrapped socket.  The regular LDAP socket with starttls might
work without it.  I'm not about to break my LDAP server to try it
though. :-)

The slapd.conf wotsits are pretty straightforward:

TLSCertificateFile      /etc/ldap/ldap.wossname.org.uk.crt
TLSCertificateKeyFile   /etc/ldap/ldap.wossname.org.uk.key
TLSCACertificateFile    /etc/ldap/cacert.pem

The major stumbling block I had was that the Common Name in the SSL
certificate *must*[1] match the name you use in the URI.  For example,
the Common Name in my certificate is ldap.wossame.org.uk.  The URI I use
to connect to the LDAP server is:

ldapsearch -H ldaps://ldap.wossname.org.uk/

or

ldapsearch -H ldap://ldap.wossname.org.uk/ -ZZ

should also work.

Add SASL authentication with GSSAPI into the mix, BTW.  It make is
*much* more fun. :-)

> Anyone got pam_ldap+nss_ldap working on FreeBSD4.x?

That's for this weekend too.  Probably with a dod of Kerberos in the mix
for good measure. :-)

[1] It's a MUST in the RFC IIRC.
-- 
Right now, there are scr1pt k1dd13s plotting to DDoS my network, my co-lo
server is not responding  to pings and  the people that I IRC with may be
involved in both.  I'm  sysadmin Graeme Mathieson and this is the longest
day of my life.                       http://www.wossname.org.uk/~mathie/




More information about the Ukfreebsd mailing list