[KLUG Members] OpenLDAP + TLS

[Matty]

Adam Williams wrote:
>>I am going nuts trying to get OpenLDAP 2.1.9 TLS enabled. According
>>to http://www.openldap.org, the only items required to enable TLS/SSL
>>are: Client Certificate, Client cert private key associated and the
>>Root CA Certificate. I did this, but OpenLDAP refuses to startup with 
>>TLS/SSL support :( I built this from scratch, and it was built with 
>>"--enable-tls." Anyone else seen this? The appropriate lines from my 
>>ldap.conf are shown below.
>>-=- ldap.conf -=-
>>TLSCertificateFile    /usr/local/openldap/etc/certs/ldapcert.pem
>>TLSCertificateKeyFile /usr/local/openldap/etc/certs/ldapkey.pem
>>TLSCACertificateFile  /usr/local/openldap/etc/certs/cacert.pem
> 
> 
> Is slapd linked to the SSL libraries?
> 
> What ports is slapd listening on (netstat -ap | grep slap)?
> 
> Are you sure the security context of the slapd process has permissions
> to read the cert files?
> 
> What is your loglevel?  Do you see any errors pertaining to the refusal
> to use SSL/TLS?
> 

I finally got it working. The binaries were built correctly, but I
didn't realize I needed to add "-h ldap:/// ldaps:///" to the arguments
passed to slapd. I am also having one other small issue. If I add
a cn, and want to allow that cn to only write to one branch of the
tree, I would think the following access controls would work:

access to dn="ou=contacts,dc=dom,dc=com"
         by      dn="cn=email,dc=dom,dc=com"           write

access to *
         by      dn="cn=Manager,dc=dom,dc=com"         write

I am consistently getting permission denied when I bind as the
user email :( According to the openldap site and Adam's awesome
LDAPv3 presentation, I thought this would work. So far no go :(

- Ryan