date: 2007-07-13 12:21:42+00:00
'CentOS : secure OpenLDAP traffic with SSL'
categories: - Howto - LDAP - Linux - Red Hat/CentOS - Security
I'll consider you already have a database running. I'll only review how to set up the SSL certificate and key and what to change in the config files.
1. SSL cert and key
`# mkdir /etc/openldap/ssl && mkdir /etc/ssl
openssl req -new -x509 -nodes -out /etc/ssl/ldap-cert.pem -keyout /etc/openldap/ssl/ldap-key.pem -days 3650`
This would create a self-signed certificate valid for 10 years.
2. Configure LDAP
Under /etc/openldap/slapd.conf (server configuration) add (somewhere between include entries and database entries) :
Under /etc/openldap/ldap.conf (client configuration) add at the end of the file :
This defines the server to query when using tools from ldap-utils package
Restart OpenLDAP :
# service ldap restart
If you want to see the logs, see this link
Open port tcp/636 in your firewall
From the LDAP server type :
You should get some output. And obviously not "Can't connect to.."
Thanks to what we specified under /etc/ldap/ldap.conf we don't have to specify the host we want to query in the command.
5. Configure your LDAP client
Mozilla Thunderbird is great because it can store the self-signed certificates indefinitely. Outlook doesn't (of course).