[KLUG Members] OpenLDAP + TLS
Matty
members@kalamazoolinux.org
Thu, 26 Dec 2002 12:39:43 -0500
Adam Williams wrote:
>>I am going nuts trying to get OpenLDAP 2.1.9 TLS enabled. According
>>to http://www.openldap.org, the only items required to enable TLS/SSL
>>are: Client Certificate, Client cert private key associated and the
>>Root CA Certificate. I did this, but OpenLDAP refuses to startup with
>>TLS/SSL support :( I built this from scratch, and it was built with
>>"--enable-tls." Anyone else seen this? The appropriate lines from my
>>ldap.conf are shown below.
>>-=- ldap.conf -=-
>>TLSCertificateFile /usr/local/openldap/etc/certs/ldapcert.pem
>>TLSCertificateKeyFile /usr/local/openldap/etc/certs/ldapkey.pem
>>TLSCACertificateFile /usr/local/openldap/etc/certs/cacert.pem
>
>
> Is slapd linked to the SSL libraries?
>
> What ports is slapd listening on (netstat -ap | grep slap)?
>
> Are you sure the security context of the slapd process has permissions
> to read the cert files?
>
> What is your loglevel? Do you see any errors pertaining to the refusal
> to use SSL/TLS?
>
I finally got it working. The binaries were built correctly, but I
didn't realize I needed to add "-h ldap:/// ldaps:///" to the arguments
passed to slapd. I am also having one other small issue. If I add
a cn, and want to allow that cn to only write to one branch of the
tree, I would think the following access controls would work:
access to dn="ou=contacts,dc=dom,dc=com"
by dn="cn=email,dc=dom,dc=com" write
access to *
by dn="cn=Manager,dc=dom,dc=com" write
I am consistently getting permission denied when I bind as the
user email :( According to the openldap site and Adam's awesome
LDAPv3 presentation, I thought this would work. So far no go :(
- Ryan