How to test 389 Directory Server and openldap using TLS 1.1+

Mark Reynolds mareynol at redhat.com
Thu Nov 20 17:12:00 UTC 2014


How to test the new openldap with TLS1.1+ and 389 Directory Server

Get the new 389 Directory Server scratch builds:

F22 - http://koji.fedoraproject.org/koji/taskinfo?taskID=8194738
F21 - http://koji.fedoraproject.org/koji/taskinfo?taskID=8194917

[1] Install DS using setup-ds.pl.  Then setup SSL on the Directory Server.

I use this script to setup SSL: 
https://github.com/richm/scripts/blob/master/setupssl2.sh

./setupSSL2.sh /etc/dirsrv/slapd-INSTANCE 389 636

slapd-INSTANCE is an example, it is usually slapd-<hostname>. This can 
also depend on what you specify during the server install. The script 
also expects the Directory Manager DN to be "cn=directory manager".

[2] Next configure DS to set the minimum SSL version it will accept:

ldapmodify -h host -p port -D "cn=directory manager" -w password
cn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: off
-
replace: nsTLS
nsTLS: on
-
replace: sslVersionMin
sslVersionMin: TLS1.1

[3] Restart the Directory Server:   restart-dirsrv

[4] Perform an ldapsearch using SSL

LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-INSTANCE ldapsearch -xLLL -H 
"<host>:<secure port>" -b "" -s base objectclass=*

example:

LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-localhost ldapsearch -xLLL -H 
"localhost.localdomain:636" -b "" -s base objectclass=*

Let me know if there are any questions.

Thanks,
Mark



More information about the server mailing list