Re: Mysteries of openldap

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2007-11-30 at 14:17 +0000, Timothy Murphy wrote:
> I'm running openldap on my desktop,
> and can access it fine from my laptop.
> But I'd like to use TLS encryption
> (as the desktop ldap is open to the world).
> 
> Unfortunately I find the openldap documentation
> very difficult to follow.
> It is almost as though they speak a different language,
> say Finnish or Hungarian.
> 
> I've followed the instructions in chapter 14, "Using TLS",
> in the OpenLDAP Software 2.4 Administrator's Guide
> at <http://www.openldap.org/doc/admin24/>.
> I've un-commented out the lines
> -----------------------------
> TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
> TLSCertificateFile /etc/pki/tls/certs/slapd.pem
> TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
> -----------------------------
> and restarted "service ldap".
> 
> But I see no evidence that this has had any effect.
> I can access the ldap directory from my laptop
> exactly as I did before,
> even if I make the change
> -----------------------------
> # TLS_REQCERT allow
> TLS_REQCERT try
> -----------------------------
> in ldap.conf on my laptop,
> which as far as I can see (from "man ldap.conf")
> should require my certificate(s) to be checked.
> 
> But is seems to work, as I said, with or without certificates,
> and I see no evidence from tcpdump that
> any encryption has been requested or implemented.
> 
> If someone who speaks openldap could enlighten me
> I should be very grateful.
> 
> Incidentally, I have avoided installing SASL authentication,
> basically because I assumed that as it is comes from Cyrus
> it was somehow related to Cyrus-Imap,
> which caused me great grief before I moved to dovecot.
> 
> Is SASL in fact the standard way to authenticate openldap?
> I read somewhere that there are "many ways"
> of authenticating openldap ,
> without unfortunately any particular way being suggested.
> 
> Apologies for addressing what is probably an inappropriate forum.
> I tried posting to the gmane newsgroup 
> mirroring the mailing list at openldap-software@xxxxxxxxxxxx
> but unfortunately my postings there never appear.
> 
> Any advice or suggestions gratefully received.
----
they don't appear because Kurt is very much the hands on moderator of
the list and if you e-mail him, he will tell you probably that you are
off-topic.

short answer, use ldaps - even though it is deprecated.

longer answer, you'll have to fight through it.

self signed certs?  add TLS_REQCERT to /etc/openldap/ldap.conf
and /etc/ldap.conf (openldap client apps use the one in /etc/openldap
folder, everything else uses the one is /etc directory)

this is old, obsolete but very useful

http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html

Craig

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux