open LDAP + TLS/SSL mini draft howto

[Olivier]

Vijay,

This may help.

Check that each file is properly readable

Best

---
Olivier

---------- Forwarded message ----------
From:  Olivier <l...@guillard.nom.fr>
Date: Thu, Aug 11, 2011 at 2:23 PM
Subject: tls extra mini howto
To: openldap-technical@openldap.org


Having spent quite some time to make a TLS work
I thought this may be usefull to some :

1/ Create a self CA certificate :

                   a/ create the CA.key private key :

$ openssl genrsa -des3 -out CA.key 1024

                   b/ create the CA.crt certificate :

$ openssl req -new -key CA.key -x509 -days 1095 -out CA.crt


2/ for each ldap server (if you have more than one)
   create a certificat :

                   a/ create the server.key private key :

openssl genrsa -out server.key

                   b/ create a server.csr certificate request:

openssl req -new -key server.key -out server.csr

                   c/ create the server.crt certificate signed by your own CA :

openssl x509 -req -days 2000 -in server.csr -CA CA.crt -CAkey CA.key
-CAcreateserial -out server.crt


3/ configure slapd.conf ( the correct "server.key" and "server.crt"
files must be copied on each server):

TLSCACertificateFile /etc/openldap/cacerts/CA.crt
TLSCertificateFile /etc/openldap/cacerts/server.crt
TLSCertificateKeyFile /etc/openldap/cacerts/server.key
TLSCipherSuite HIGH:MEDIUM:+SSLv2

# personnally, I only check servers from client.
# If you do, add this :
TLSVerifyClient never

4/ on clients :

copy CA.crt to the right place ( normally should be somewhere
in /etc/pki..), and add this in ldap.conf :

TLS_CACERT /etc/openldap/cacerts/CA.crt

If you use sssd, add this in /etc/sssd/sssd.conf :

lldap_tls_cacert = /etc/openldap/cacerts/CA.crt
ldap_tls_reqcert = demand

Then you can test using ldapsearch with -Z


Best

---
Olivier

NOTE :  I have'nt been able to make it work with mozilla certutil