LDAP over TLS

	Use LDAP over TLS and make connection be secure.
[1]	Create SSL certificate first. See here.
[2]	Configure LDAP server

[root@dir ~]# cp /etc/pki/tls/certs/server.* /etc/openldap/cacerts/ [root@dir ~]# chown ldap. /etc/openldap/cacerts/* [root@dir ~]# ldapmodify -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # input like follows dn: cn=config add: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/cacerts/server.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/cacerts/server.key # push "Ctrl+D" key to quit [root@dir ~]# vi /etc/sysconfig/ldap # line 20: change SLAPD_LDAPS= yes [root@dir ~]# /etc/rc.d/init.d/slapd restart Stopping slapd: [  OK  ] Starting slapd: [  OK  ]

[3]	Configure on Client

[root@www ~]#

vi /etc/openldap/ldap.conf

# add at the last line

URI ldaps://10.0.0.100/
BASE dc=server,dc=world
TLS_CACERTDIR /etc/openldap/cacerts

TLS_REQCERT allow

[root@www ~]#

vi /etc/nslcd.conf

# line 133: change like follows

#

ssl no
tls_cacertdir /etc/openldap/cacertsa

ssl start_tls
tls_reqcert allow

[root@www ~]#

vi /etc/pam_ldap.conf

# line 291: change

#

ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

ssl start_tls
tls_reqcert allow

[root@www ~]#

shutdown -r now

www.server.world login: fermi
Password:
Last login: Mon Jul 11 22:38:23 on ttyS0
[fermi@www ~]$

# logined