hi guys
I configured my openldap but now I want to implement SSL-TLS
This is my basic slapd.conf configuration
Code:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
suffix "dc=training,dc=com"
rootdn "cn=manager,dc=training,dc=com"
rootpw --Removed--
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
access to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn="cn=manager,dc=training,dc=com" write
by * none
access to *
by self write
by dn="cn=manager,dc=training,dc=com" write
by * read
And I created this script (simple I know) to create this TLS/SSL Config but it won't work users cannot login
path when I am moving certs /etc/openldap/cacerts
Code:
service ldap stop
cd /etc/openldap/
openssl genrsa -out server_key.pem 2048
chmod 440 server_key.pem
chown root.ldap server_key.pem
openssl req -new -key server_key.pem -x509 -days 3650 -out clients_cert.pem
chmod 444 clients_cert.pem
mv server_key.pem cacerts/
mv clients_cert.pem cacerts/
echo "TLSCertificateFile /.../clients_cert.pem" >> /.../slapd.conf
echo "TLSCertificateKeyFile /.../server_key.pem" >> /.../slapd.conf
echo "TLSCipherSuite HIGH" >> /...p/slapd.conf
echo "security ssf=128" >> /.../slapd.conf
service ldap start
echo "Copying Files to LDAP Client Centos2"
rsync -av ./cacerts/clients_cert.pem centos2:/.../cacerts
As you see I create the key and certificate, assign permissions, add stuff to slapd.conf and finally copy thecer to a client PC
On client side
I use authconfig-tui
[x] Use LDAP
[x] Use LDAP Authentication
[x] Use TLS
Server: ldap://192.168.x.x
Base DN: dc=training,dc=com/
My enviroment is Centos 5.5
what is wrong on my config?
any idea? Something I am missing?
thanks a lot