OpenLDAP in FC4: Certificate instructions refers tonon-existing directory/files?

Daniel B. Thurman dant at cdkkt.com
Fri Nov 25 21:04:17 UTC 2005


>From: fedora-list-bounces at redhat.com
>[mailto:fedora-list-bounces at redhat.com]On Behalf Of Paul Howarth
>Sent: Friday, November 25, 2005 10:42 AM
>To: For users of Fedora Core releases
>Subject: Re: OpenLDAP in FC4: Certificate instructions refers
>tonon-existing directory/files?
>
>
>On Fri, 2005-11-25 at 10:28 -0800, Daniel B. Thurman wrote:
>> Hi Folks,
>> 
>> One of the things that made it exceedingly difficult to get LDAPS
>> running on FC4 (at least for me) was that the openssl version on
>> FC4 was "out of sync" with the LDAP How-To instructions explaining
>> how to create a self-signed certificate so that LDAP SSL can be made
>> to work.
>> 
>> In the many online LDAP setup instructions I have seen, the most
>> common on seem refer to the CA.sh file such as the link provided
>> below: 
>> 
>> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#6.1
>> 
>> But the version of openssl on FC4 does not have this directory:
>> /usr/share/ssl nor does: /usr/share/ssl/misc/CA.sh exist.
>> 
>> I also noted that openssl in FC4 now uses /etc/pki directory instead
>> of /etc/ssl (but I do see a /etc/ssh directory but is this 
>the same as
>> /etc/pki?) but otherwise is different from the openssl 
>version used in
>> FC3/2/1?  Perhaps this is not surprising but it does make it a bit
>> difficult to keep up with the changing trends.
>> 
>> So can anyone explain what the procedure is for creating a
>> self-signed certificate, how to properly setup LDAP for SSL/TLS
>> support at the client and server side? The link provided above talks
>> about client side certificates but it seems rather vague since it is
>> not clear how exactly a client certificate should be created or if
>> client certificates have to copied to other systems for which users
>> will need to have in order to successfully use the LDAPS server.
>> 
>> Finally, does  anyone supply their own CA avoiding "trusted"
>> CA sites such as Verisign/Thwait.etc.?  Is there really any
>> serious problems or risk by not using them as a trusted CA
>> source?
>
>I've just been playing with this myself this last couple of days - my
>first foray into LDAP.
>
>You can create a self-signed cert for the server as follows:
>
># cd /etc/pki/tls/certs
># rm slapd.pem
>(if there's one there, it'll probably have localhost.localdomain as the
>cn and therefore be practically useless)
># make slapd.pem
># chown root:ldap slapd.pem
># chmod 640 slapd.pem
>
>You can extract the CA cert (needed by clients) as follows, once the
>server's up:
>
>$ openssl s_client -connect your.ldap.server:636 | tee logfile
>(type "QUIT", followed by the "ENTER" key)
>
>The CA cert will be the text in logfile between the "BEGIN CERTIFICATE"
>and "END CERTIFICATE" markers inclusive.
>
>Paul.

Super!

But I need to figure out how to obtain/set for LDAP
in the /etc/openldap/slapd.conf:

TLSCACertificateFile  /etc/pki/tls/certs/slapd.pem
TLSCertificateFile    /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

Do I set it as shown above?

Thanks!
Dan

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.7/182 - Release Date: 11/24/2005
 




More information about the users mailing list