這是本文件的舊版!
OpenLDAP
Articles
View cn=config
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
Apply setting
ldapmodify -QY EXTERNAL -H ldapi:/// -f tls-config.ldif
Enable SSL/TLS
我參考了此篇教學產生certification file與設定,結果一直無法正常連線。於是透過以下command打開debug mode:
/usr/sbin/slapd -d 1 -h "ldap:/// ldapi:/// ldaps:///" -g openldap -u openldap -F /etc/ldap/slapd.d出現以下錯誤訊息:
56f10002 slap_listener_activate(10): 56f10002 >>> slap_listener(ldaps://) 56f10002 connection_get(19): got connid=1001 56f10002 connection_read(19): checking for input on id=1001 TLS: can't accept: Could not negotiate a supported cipher suite.. 56f10002 connection_read(19): TLS accept failure error=-1 id=1001, closing 56f10002 connection_close: conn=1001 sd=19最後試出在Ubuntu 14.04下的slapd,可以參考此篇教學做法,將certification file設定給匯進去。
dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ldap/ssl/rootca.crt - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/ssl/ldap.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.key
產生certificate file batch script。