> You don't need to have 'tls_cacertfile' line. System will find CA certificate by itself as long as you put it in standard certificate folder (/etc/ssl/certs/).
That's a lie. I leaned, for a CA certificate file to be automatically found, not only it must reside in standard folder, but it also has to be named based on it's hash value.
Our CA certificate file name is not. Nobody can find it, unless we tell them where it is, in one way or another.
These are the software we used and how they find where CA certificate is.
OpenLDAP utility client (ldapsearch, ldapmodify, ...)
-> libldap
-> 'TLS_CACERT' line in /etc/ldap/ldap.conf
libnss_ldap
-> 'tls_cacertfile' line in /etc/ldap.conf
-> libldap
-> 'TLS_CACERT' line in /etc/ldap/ldap.conf
smbd
-> libldap
-> 'TLS_CACERT' line in /etc/ldap/ldap.conf
smbldap-tools
-> 'cafile' line in /etc/smbldap-tools/smbldap.conf
-> Net::LDAP
Server machine I configured did not need 'tls_cacertfile' line in /etc/ldap.conf, because I had 'TLS_CACERT' line in /etc/ldap/ldap.conf. But, on a client machine I didn't, libnss_ldap could not find CA certificate until I put 'tls_cacertfile' line in /etc/ldap.conf.
Apparently, one way (probably a better way) to do this is to use 'update-ca-certificates' command and have hash-based CA certificate file name under /etc/ssl/certs/. But I feel describing all that may go beyond our purpose of simple OpenLDAP + TLS configuration.
So I'm going to stick with '/etc/ssl/certs/cacert.pem', and put this path in /etc/ldap/ldap.conf, regardless it's a server machine or a client. Also, 'TLS_REQCERT demand' seems good addition to make sure clients establish an encrypted communication (although OpenLDAP utility client programs ignore it).
I revise my previous report in following 2 sections.
In 1-4.
--- old lines ---
> Edit a line in /etc/ldap/ldap.conf. (GnuTLS needs it?)
>
> TLS_CACERT /etc/ssl/certs/cacert.pem
--- replaced with ---
Edit /etc/ldap/ldap.conf and have these two lines.
TLS_REQCERT demand
TLS_CACERT /etc/ssl/certs/cacert.pem
--- end ---
In 1-5.
--- old lines --
Then add a line:
ssl start_tls
You don't need to have 'tls_cacertfile' line. System will find CA certificate by itself as long as you put it in standard certificate folder (/etc/ssl/certs/).
--- replaced with ---
Then add a line:
ssl start_tls
- Edit /etc/ldap/ldap.conf and have these two lines, if you haven't done so yet.
TLS_REQCERT demand
TLS_CACERT /etc/ssl/certs/cacert.pem
--- end ---
Mystery solved.
In 1-5, I wrote:
> You don't need to have 'tls_cacertfile' line. System will find CA certificate by itself as long as you put it in standard certificate folder (/etc/ssl/certs/).
That's a lie. I leaned, for a CA certificate file to be automatically found, not only it must reside in standard folder, but it also has to be named based on it's hash value.
Our CA certificate file name is not. Nobody can find it, unless we tell them where it is, in one way or another.
These are the software we used and how they find where CA certificate is.
OpenLDAP utility client (ldapsearch, ldapmodify, ...)
-> libldap
-> 'TLS_CACERT' line in /etc/ldap/ldap.conf
libnss_ldap
-> 'tls_cacertfile' line in /etc/ldap.conf
-> libldap
-> 'TLS_CACERT' line in /etc/ldap/ldap.conf
smbd
-> libldap
-> 'TLS_CACERT' line in /etc/ldap/ldap.conf
smbldap-tools tools/smbldap. conf
-> 'cafile' line in /etc/smbldap-
-> Net::LDAP
Server machine I configured did not need 'tls_cacertfile' line in /etc/ldap.conf, because I had 'TLS_CACERT' line in /etc/ldap/ ldap.conf. But, on a client machine I didn't, libnss_ldap could not find CA certificate until I put 'tls_cacertfile' line in /etc/ldap.conf.
Apparently, one way (probably a better way) to do this is to use 'update- ca-certificates ' command and have hash-based CA certificate file name under /etc/ssl/certs/. But I feel describing all that may go beyond our purpose of simple OpenLDAP + TLS configuration.
So I'm going to stick with '/etc/ssl/ certs/cacert. pem', and put this path in /etc/ldap/ ldap.conf, regardless it's a server machine or a client. Also, 'TLS_REQCERT demand' seems good addition to make sure clients establish an encrypted communication (although OpenLDAP utility client programs ignore it).
I revise my previous report in following 2 sections.
In 1-4. ldap.conf. (GnuTLS needs it?) certs/cacert. pem
--- old lines ---
> Edit a line in /etc/ldap/
>
> TLS_CACERT /etc/ssl/
--- replaced with ---
Edit /etc/ldap/ldap.conf and have these two lines.
TLS_REQCERT demand certs/cacert. pem
TLS_CACERT /etc/ssl/
--- end ---
In 1-5.
--- old lines --
Then add a line:
ssl start_tls
You don't need to have 'tls_cacertfile' line. System will find CA certificate by itself as long as you put it in standard certificate folder (/etc/ssl/certs/).
--- replaced with ---
Then add a line:
ssl start_tls
- Edit /etc/ldap/ldap.conf and have these two lines, if you haven't done so yet.
TLS_REQCERT demand certs/cacert. pem
TLS_CACERT /etc/ssl/
--- end ---
This should be sufficient.
Chao.