Meditation, The Art of Exploitation

Thinking? At last I have discovered it--thought; this alone is inseparable from me. I am, I exist--that is certain. But for how long? For as long as I am thinking. For it could be, that were I totally to cease from thinking, I should totally cease to exist....I am, then, in the strict sense only a thing that thinks.

Tuesday, December 26, 2006

setup openldap with ssl

The following url has a comprehensive description of configuring openldap server to use ssl:

Essentially, one can choose between basic server side ssl (one way authentication with a single self-signed root CA) setup and advanced client side ssl (two way authentication with server side root CA, private key, root CA signed server cert, client private key, root CA signed client certificate) setup. I have successfully setup ldaps using the documention in the provided URL. It also covers a bit of openssl usage which is nice. It certainly is an accomplishment after manually setting up openldap server/client using SSL and understanding what's going on behind the scene.

One thing learnt is that when certificate is involved, it's extremely important to use the right hostname or ipaddress but not both that matches what's recorded in certificates. openssl is a good tool to diagnose this sort of issues with its s_client and s_server emulation operations.