OpenLDAP does already have SSL support, using port 636.

I added a self-signed certificate and key to my etc/openldap/ config directory and added required additions to the slapd.conf file:

# To allow TLS-enabled connections
TLSCertificateFile /usr/local/etc/openldap/www.MrZesty.net.crt
TLSCertificateKeyFile /usr/local/etc/openldap/www.MrZesty.net.key

slapd -d1 -udaemon -h ldaps:/// ldap://127.0.0.1/ &

But now it complains that my certificate is self-signed and therefore not valid...

# ldapsearch -d1 -H ldaps://localhost:636/
ldap_create
ldap_url_parse_ext(ldaps://localhost:636/)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject: /C=CA/ST=Ontario/L=Toronto/
 O=Mr Zesty dot Net/OU=Web Systems/CN=www.mrzesty.net, issuer: /C=CA/ST=Ontario/L=Toronto/
 O=Mr Zesty dot Net/OU=Web Systems/CN=www.mrzesty.net
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (81)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

It is necessary to specify:

TLS_REQCERT allow

Reference: http://www.openldap.org/doc/admin/tls.html

Last modified: Wednesday, December 31 1969 @ 19:00 EST

WWW braindump.MrZesty.net

© Ian Samuel, 2012
http://braindump.MrZesty.net