It seems that I had to piece this all together to get it to work…
1. We already have a certificate that has been signed by Geotrust, so I copied the server.key and server.crt to /etc/ldap/
2. I needed to download the appropriate ca cert from:
3. This cert needs to be in pem format, so after flailing for some time, I realized I needed the (DER encoded X.509) CA certification from this page. (A quick check by hitting a page over https in firefox, then opening:
Tools->Page Info->Security->View->General “Issued By: CN…”
showed me which root certificate to download). Just make sure it is the DER encoded X.509 certificate.
4. Next, generate the pem encoded certificate with the following command:
openssl x509 -in MyDownloadedGeotrustDEREncoded.cer -inform DER -out /etc/ldap/cacert.pem -outform PEM
5. Add the following lines to your slapd.conf, and restart OpenLdap:
6. Copy the /etc/ldap/cacert.pem file to all of your client computers, AND add the following lines to the client’s /etc/ldap/ldap.conf:
7. From a client computer, test the TLS/SSL handshake with the following:
ldapsearch -H ldaps://my.ldaps_server.com -x -D “cn=admin,dc=…” -W -b “dc=…” -s sub “(objectclass=*)”
(-d -1 (minus one), shows all debugging information for the handshake. It is the best way to find out information about what is failing with any of your ldap-utils utils).
1. To limit ldap (port 389) connections to localhost, but allow ldaps (port 636) connections from localhost and the world, change your /etc/default/slapd as follows: