LDAP + SSL = port 636
LDAP + TLS = port 389 (no change)
Server:
(1) Create a cert for LDAP server
Note that the field of cn inside MUST match hostname
(2) Remove the DES3 password on private key
openssl rsa -in private.des3 -out slapd.pem
(3) add an empty line in the end of slapd.pem
echo >> slapd.pem
(4) append server's cert in the end of slapd.pem
cat newcert.pem >> slapd.pem
(5) cp slapd.pem /etc/openldap/cacerts/
chown root.ldap /etc/openldap/cacerts/slapd.pem
chmod 644 /etc/openldap/cacerts/slapd.pem
(6) cp cacert.pem /etc/openldap/cacerts/
(7) Modify slapd.conf
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/slapd.pem
TLSCertificateKeyFile /etc/openldap/cacerts/slapd.pem
(8) service ldap restart
(9) netstat -ntlp
Then, we can see both port 636 and 389 are being listen
Client:
(1) vi /etc/openldap/ldap.conf
TLS_REQCERT never
(2) search
TLS: ldapsearch -x -ZZ -b "dc=osa,dc=com" -h linux.kirka.idv.tw
SSL: ldapsearch -x -b "dc=osa,dc=com" -H ldaps://linux.kirika.idv.tw
No encrypt: ldapsearch -x -b "dc=osa,dc=com" -h linux.kirika.idv.tw
Linux:
Call authconfig, check "use TLS" in LDAP options
This will change /etc/ldap.conf
We can also change from TLS to SSL by changing
ssl start_tls
to
ssl on
Blog Archive
-
▼
2006
(19)
-
▼
December
(19)
- Use OpenSSL to Get Hash Values
- Linux Hostname
- Linux File Access Permissions
- LDAP with TLS
- Home Directory Solution for LDAP Linux Users
- LDAP Replica
- LDAP Partition
- Linux 開機時設定
- 提示符號含所在路徑
- Fedora 5 Console Font
- LDAP vs. Linux Account
- LDAP - osa_top.ldif
- LDAP - top.ldif
- LDAP vs. Outlook Express - kevin.ldif
- LDAP vs. Outlook Express - userdefine.schema
- RedHat RPM
- OpenLDAP 指令
- Certification
- 進階 vi 教學
-
▼
December
(19)
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment