setup openldap with ssl
The following url has a comprehensive description of configuring openldap server to use ssl:
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
Essentially, one can choose between basic server side ssl (one way authentication with a single self-signed root CA) setup and advanced client side ssl (two way authentication with server side root CA, private key, root CA signed server cert, client private key, root CA signed client certificate) setup. I have successfully setup ldaps using the documention in the provided URL. It also covers a bit of openssl usage which is nice. It certainly is an accomplishment after manually setting up openldap server/client using SSL and understanding what's going on behind the scene.
One thing learnt is that when certificate is involved, it's extremely important to use the right hostname or ipaddress but not both that matches what's recorded in certificates. openssl is a good tool to diagnose this sort of issues with its s_client and s_server emulation operations.
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
Essentially, one can choose between basic server side ssl (one way authentication with a single self-signed root CA) setup and advanced client side ssl (two way authentication with server side root CA, private key, root CA signed server cert, client private key, root CA signed client certificate) setup. I have successfully setup ldaps using the documention in the provided URL. It also covers a bit of openssl usage which is nice. It certainly is an accomplishment after manually setting up openldap server/client using SSL and understanding what's going on behind the scene.
One thing learnt is that when certificate is involved, it's extremely important to use the right hostname or ipaddress but not both that matches what's recorded in certificates. openssl is a good tool to diagnose this sort of issues with its s_client and s_server emulation operations.
posted by Fei Liu | 4:30 PM
<< Home