--- /dev/null
+[GnuTLS][] is the GNU [SSL/TLS][] implementation, because
+[OpenSSL][]'s [license is incompatible with the GPL][incompatible].
+There are a number of small compatibility issues between the two, so
+it's best to use the OpenSSL tools to create certs and keys for use by
+OpenSSL-linked servers and the GnuTLS tools to create certs and keys
+for use by GnuTLS-linked servers. See [[X.509_certificates]] for
+details on creating self-signed keys with both packages.
+
+[GnuTLS]: http://www.gnu.org/software/gnutls/
+[SSL/TLS]: http://en.wikipedia.org/wiki/Transport_Layer_Security
+[OpenSSL]: http://www.openssl.org/
+[incompatible]: http://en.wikipedia.org/wiki/OpenSSL#Licensing
+
+[[!tag tags/linux]]
+[[!tag tags/tools]]
editing the script itself. Usage details are available in the
docstring.
+SSL/TLS
+-------
+
+It took me a bit of work to get [SSL/TLS][] working with my
+[[GnuTLS]]-linked OpenLDAP. First, you'll probably need to generate
+new SSL/TLS keys (`/etc/openldap/ssl/*`) with [certtool][] (see
+[[X.509_certificates]]). Then add the following lines to
+`/etc/openldap/slapd.conf`:
+
+ TLSCipherSuite NORMAL
+ TLSCACertificateFile /etc/openldap/ssl/ca.crt
+ TLSCertificateFile /etc/openldap/ssl/ldap.crt
+ TLSCertificateKeyFile /etc/openldap/ssl/ldap.key
+ TLSVerifyClient never
+
+Where `ca.crt`, `ldap.crt`, and `ldap.key` are your new CA,
+certificate, and private key. If you want to disable unencrypted
+connections completely, remove the `ldap://` entry from your `slapd`
+command line by editing (on Gentoo) `/etc/conf.d/slapd` so it has
+
+ OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
+
+Now you should be able to restart `slapd` so it will use the new
+configuration.
+
+Have clients running on your server use the local socket by editing
+`/etc/openldap/ldap.conf` to set:
+
+ URI ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock
+
+Test your server setup by running (on the server)
+
+ $ ldapsearch -x -b '' -s base '(objectclass=*)'
+
+Copy your CA over to any client machines (I put it in
+`/etc/openldap/ssl/ldapserver.crt`), and set them up with the
+following two lines in `/etc/openldap/ldap.conf`:
+
+ URI ldaps://ldapserver.example.com
+ TLS_CACERT /etc/openldap/ssl/ldapserver.crt
+
+Test your client setup by running (on the client)
+
+ $ ldapsearch -x -b '' -s base '(objectclass=*)'
+
+You can configure `shelldap` with the following lines in
+`~/.shelldap.rc`:
+
+ server: ldaps://ldapserver.example.com
+ tls: yes
+ tls_cacert: /etc/openldap/ssl/ldapserver.crt
+
+You can configure `mutt-ldap.py` with the following lines in
+`~/.mutt-ldap.rc`:
+
+ port = 636
+ ssl = yes
+
References
----------
[rfc4512]: http://tools.ietf.org/html/rfc4512
[shelldap]: http://projects.martini.nu/shelldap/
[mutts]: http://wiki.mutt.org/?QueryCommand
+[SSL/TLS]: http://en.wikipedia.org/wiki/Transport_Layer_Security
+[certtool]:http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html#Invoking-certtool
[schema]: http://www.oreillynet.com/pub/a/sysadmin/2006/11/09/demystifying-ldap-data.html
+
+[[!tag tags/linux]]
+[[!tag tags/tools]]
protocol = 'ldap'
if CONFIG.getboolean('connection', 'ssl'):
protocol = 'ldaps'
- connection = ldap.initialize(
- '%s://%s:%s' % (
- protocol,
- CONFIG.get('connection', 'server'),
- CONFIG.get('connection', 'port')))
+ url = '%s://%s:%s' % (
+ protocol,
+ CONFIG.get('connection', 'server'),
+ CONFIG.get('connection', 'port'))
+ connection = ldap.initialize(url)
connection.bind(
CONFIG.get('connection', 'user'),
CONFIG.get('connection', 'password'),
If you're running your own server, your probably not shelling out $400
to get an "official" Certificate Authority to sign your key. Here's a
quick not to myself about how to create and sign your own key.
+Depending on your application, you can use either the [[GnuTLS]] or
+[OpenSSL][] toolchain.
-Use [openssl][]'s [genpkey][] to generate an *unencrypted* public key.
+GnuTLS
+------
+
+Following the [GnuTLS manual][gnutls-manual], create a certificate
+authority with [certtool][], adjusting the `cn` as you see fit:
+
+ $ certtool --generate-privkey > x509-ca-key.pem
+ $ echo 'cn = GnuTLS test CA' > ca.tmpl
+ $ echo 'ca' >> ca.tmpl
+ $ echo 'cert_signing_key' >> ca.tmpl
+ $ certtool --generate-self-signed --load-privkey x509-ca-key.pem \
+ --template ca.tmpl --outfile x509-ca.pem
+
+Now generate the *unencrypted* server key.
+
+ $ certtool --generate-privkey > x509-server-key.pem
+
+And sign the key with your CA, adjusting the `cn` as you see fit, and
+changing `dns_name` to match your fully qualified host name.
+
+ $ echo 'organization = GnuTLS test server' > server.tmpl
+ $ echo 'cn = test.gnutls.org' >> server.tmpl
+ $ echo 'tls_www_server' >> server.tmpl
+ $ echo 'encryption_key' >> server.tmpl
+ $ echo 'signing_key' >> server.tmpl
+ $ echo 'dns_name = test.gnutls.org' >> server.tmpl
+ $ certtool --generate-certificate --load-privkey x509-server-key.pem \
+ --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
+ --template server.tmpl --outfile x509-server.pem
+
+You can also print certificates with [certtool][].
+
+ $ certtool --infile x509-server.pem --certificate-info
+
+OpenSSL
+-------
+
+Use [openssl][]'s [genpkey][] to generate an *unencrypted* key.
$ openssl genpkey -algorithm RSA -out key.pem
$ openssl x509 -in cert.pem -noout -text
-[openssl]: http://www.openssl.org/docs/apps/openssl.html
+[gnutls-manual]: http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html
+[certtool]: http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html#Invoking-certtool
+[OpenSSL]: http://www.openssl.org/docs/apps/openssl.html
[genpkey]: http://www.openssl.org/docs/apps/genpkey.html
[req]: http://www.openssl.org/docs/apps/req.html
[x509]: http://www.openssl.org/docs/apps/x509.html
projects / blog.git / commitdiff