Welcome guest!
[Signup] or [Login]

Enabling Secure LDAP (SSL/TLS) and certificate verification in OpenLDAP

Obtain a certificate, using the server name for the Common Name (CN). This should correspond to the server name your LDAP clients will be using.
Upon completion you will have a private-key file (host.key) and public-key (certificate) file (host.cert). Rename the files as needed, or adjust the values in the next step.

Edit your slapd.conf, adding these lines

TLSCipherSuite  HIGH:MEDIUM
TLSCertificateFile      /etc/openldap/certs/host.cert
TLSCertificateKeyFile   /etc/openldap/certs/host.key

Create your /etc/openldap/certs folder and put the files there.

mkdir /etc/openldap/certs
cp host.key host.cert /etc/openldap/certs/

You may also want to use a CA certificate for verifying your clients. You may download the Credentia CA certificate from here. Other CA certificates (VeriSign, Thawte, Geotrust etc) can simply be exported from Internet Explorer (Windows) or Netscape/Mozilla (Unix/Linux).
```
cp credentia1.cacert /etc/openldap/certs/cacert.pem
```
Edit your slapd.conf file, adding this line
```
TLSCACertificateFile /etc/openldap/certs/cacert.pem
TLSVerifyClient allow
```
Now restart OpenLDAP and you're done.
NOTE: You will need to specify something like -H ldaps://12.34.56.78/ in your slapd startup options. This is done differently depending on your operating system. See the Paranoid Penguin article for more details.


Home Page Certificates Purchase Instructions Exim Postfix Sendmail UW IMAP Dovecot OpenLDAP Services Research Technology Clients Repository Contact Welcome guest! [Signup] or [Login]	Home - Certificates - OpenLDAP
	Enabling Secure LDAP (SSL/TLS) and certificate verification in OpenLDAP Obtain a certificate, using the server name for the Common Name (CN). This should correspond to the server name your LDAP clients will be using. Upon completion you will have a private-key file (host.key) and public-key (certificate) file (host.cert). Rename the files as needed, or adjust the values in the next step. Edit your slapd.conf, adding these lines `TLSCipherSuite HIGH:MEDIUM TLSCertificateFile /etc/openldap/certs/host.cert TLSCertificateKeyFile /etc/openldap/certs/host.key` Create your /etc/openldap/certs folder and put the files there. `mkdir /etc/openldap/certs cp host.key host.cert /etc/openldap/certs/` You may also want to use a CA certificate for verifying your clients. You may download the Credentia CA certificate from here. Other CA certificates (VeriSign, Thawte, Geotrust etc) can simply be exported from Internet Explorer (Windows) or Netscape/Mozilla (Unix/Linux). `cp credentia1.cacert /etc/openldap/certs/cacert.pem` Edit your slapd.conf file, adding this line `TLSCACertificateFile /etc/openldap/certs/cacert.pem TLSVerifyClient allow` Now restart OpenLDAP and you're done. NOTE: You will need to specify something like -H ldaps://12.34.56.78/ in your slapd startup options. This is done differently depending on your operating system. See the Paranoid Penguin article for more details. See Also Paranoid Penguin: Authenticate with LDAP - Linux Journal article OpenLDAP 2.2 Administrator's Guide: Using TLS LDAP Linux HOWTO
Comments or questions? Email webmaster@credentia.cc ©2003-2009 Credentia, All Rights Reserved

Enabling Secure LDAP (SSL/TLS) and certificate verification in OpenLDAP

See Also