"Filipe Brandenburger" <filbranden at gmail.com> wrote in message news:e814db780908181007g454b680ar30aaaef7ab19a3b at mail.gmail.com... > Hi, > > On Tue, Aug 18, 2009 at 12:50, Eric > B.<ebenze at hotmail.com> wrote: >> Any suggetsions / ideas? > > I believe you have to copy the certificate to /etc/openldap/cacerts/ > in the LDAP client. The certificate file name there is special, it > should be hashed from the certificate data... I believe the easiest > way to install it there is using the "authconfig" command and > specifying the certificate URL. > > You should also have TLS_CACERTDIR /etc/openldap/cacerts on > /etc/openldap/ldap.conf (not only /etc/ldap.conf, they are different!) > > I also did not have much luck with self-signed certificates with LDAP, > I had to create a self-signed certificate for a "dummy" CA, and then > use that certificate to sign a certificate for the LDAP server with > the server's name as a cn. > > I believe you should be able to test it using "ldapsearch" with the > "-Z" and "-ZZ" options in order to require TLS and see if that works. > I suggest you first get that part working fine before going on with > your libuser configuration... > > LDAP with TLS is kind of a pain to set up... but once it is running it > really works OK. Thanks. You're a genius. I struggled a lot, but think I finally managed to get something working. I tried to follow the openldap faq at http://www.openldap.org/faq/data/cache/185.html for creating CA certificates, but my shell script is called CA not CA.sh. I've done the following: # cd /etc/pki/tls/misc/ # ./CA -newca (filled in all prompted information, and gave it a pwd) # openssl req -new -nodes -keyout newreq.pem -out newreq.pem (filled in all prompted information) # CA.sh -sign # cp /etc/pki/CA/cacert.pem /etc/openssl/cacerts/ # cp newcert.pem /etc/openssl/ssl/servercrt.pem # cp newreq.pem /etc/openssl/ssl/serverkey.pem Then updated my slapd.conf to show: TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/ssl/servercrt.pem TLSCertificateKeyFile /etc/openldap/ssl/serverkey.pem Then updated /etc/ldap.conf to show: tls_cacert /etc/openldap/cacerts/cacert.pem Finally /etc/openssl/ldap.conf: TLS_CACERT /etc/openldap/cacerts/cacert.pem Restart the slapd daemon # service ldap restart And I can finally get ldapsearch to work. Although I tried tls_cacertdir for both /etc/ldap.conf and /etc/openldap/ldap.conf and it doesn't work for some odd reason. Not sure why. # ldapsearch -Z -x "(uid=eric)" <returns the ldif entry for uid=eric> So next test was to create a new user. luseradd foo works perfect. I find it in my ldap tree as expected. All I had to do is modify the create_modules and modules to specify ldap only (to avoid it modifying the passwd and shadow files), and everything seems to be working. Thanks for your help! Eric