Précédent Remonter Suivant

6  Secure connections: use TLS

If you want to use TLS, you have to create a certificate for each servers. Certificates can be self-signed but it is preferable to have certificates signed by the same authority (CA) if OpenLDAP is configured so that client are requested (TLSVerifyClient demand in slapd.conf file).

The next paragraphs illustrate the few steps needed to set up an example CA and how to create a server's certificate signed by the CA. Refer to the appropriate documentations for more informations (for example http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html).

You may also want to take a look at IDX-PKI for installing the real thing. See http://www.idealx.com/solutions/idxpki/ for more informations.

Remember one important thing: certificates are created with their common name hardcoded in the certificate. Each time you want to connect to the server in secure mode, you must contact it using this name (and not it's IP address, unless you set it's common name to the IP address)!

6.1  Certificates creation

For this example, we'll create a CA authority. Next, we'll create a certificate for the server ldap.idealx.com wich will be signed by the CA.
  1. create the CA key and certificate
  2. create the server key and certificate for ldap.idealx.com server
  3. you then have the three files you need for setting up properly the configuration's server :

6.2  The smbldap-tools scripts

The smbldap-tools scripts will connect to the secure directory. We'll then need to create a certificate for this client : use smbldap-tools as common name.
Update the configuration file /etc/smbldap-tools/smbldap.conf :

6.3  OpenLDAP

Create a certificate for the OpenLDAP server with common name ldap.idealx.com.
Update the configuration file /etc/openldap/slapd.conf and set : You can also request a valid certificate to all incoming TLS session :

6.4  Samba

Simply add one line in the configuration file /etc/samba/smb.conf :

6.5  The linux operating system

Check that the /etc/ldap.conf contains the following informations : Be careful to set a proper name for the host directive: it must match the exact name that what given to the OpenLDAP server certificate. It must also be a resolvable name.


Précédent Remonter Suivant