My Stuff

Blog

What a struggle. Normally I post things like this in my Work directory, but I wanted people to be able to post comments, so I'm posting here. Consider it a constant work in progress, as I will continue to learn about ldap.

ldap running on port 389 can use tls or not. This is so you can do anonymous binds (as far as I can figure, there is no reason to require an encrypted connection to find out public information when not using a password). So what I want to figure out is if the ldap server can require tls for all queries that require a password. Presumably, we have already decided which ldap entries are private enough to require a password with slapd.conf ACLs.

rootdn can be used for initial setup, but best to setup a user in the database to be admin, and then get rid of rootdn.

Adding ssl start_tls to ldap.conf seems to disable anonymous binds.

test gnutls:

on server:

gnutls-serv --x509certfile /etc/ldap/certs/server.crt \
            --x509keyfile /etc/ldap/certs/server.key

on a client (needs gnutls-cli and cafile): gnutls-cli --x509cafile /etc/ssl/certs/ca-cert.crt

will give cert info:

openssl x509 -in /etc/ldap/certs/ldap.cert.pem -text -noout

test tls with ldap:

ldapsearch -x -ZZ -d 255

ldap error codes: http://www.zytrax.com/books/ldap/ch12/