----- Original Message Follows ----- From: Hallvard B Furuseth <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: [email protected] Subject: [ldap] Re: start_tls with open ldap Date: Mon, 5 Mar 2007 12:25:42 +0100
> [EMAIL PROTECTED] writes: > > I like to secure my open ldap access between the server > > and clients. I hv gone through some documentation and > > found that the start-tls option in /etc/ldap.conf > > enables this features. I hv already created a self > > signed certificate. > > But I can't understand the tls_checkpeer option. should > > I enable it ? what to do else to activate tls ? > > Turn it on. And tls_cacertfile with the CA-certificate > which signed the server's certificate. > > It means that the client will verify that the server > certificate is valid, trusted, and has the name of the > hostname you _thought_ you were connecting to. Thus an > attacker can't hijack/redirect your connection to a > hostile server, since that server would need the > certificate and its key in order to impersonate your > server. > Thanks Hallvard, I hv done that as u mentioned. then I set the certificate path according to my certificate location. but what is the tls_cacertdir ? I hv tried to use ldap with the start_tls on but now it gives ------ pam_ldap: ldap_starttls_s: Protocol error ----------- could some one kindly suggest to solve it ? thanks a lot for all the guidance from the list > -- > Regards, > Hallvard > > --- > You are currently subscribed to [email protected] as: > [EMAIL PROTECTED] To unsubscribe send email to > [EMAIL PROTECTED] with the word UNSUBSCRIBE as the > SUBJECT of the message. --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
