Securing LDAP clients with SSL/TLS on RHEL5

Updated -

Securing LDAP clients (using openldap-2.3.43-28.el5_10 and/or openldap-clients-2.3.43-28.el5_10) that uses openssl

This article is part of the Securing Applications Collection

Configuration File

   /etc/openldap/ldap.conf

shortform

URI             ldaps://rhel5-32.example.com/
TLS_CACERT      /etc/openldap/rhel5-32.example.com.ca.pem
TLS_REQCERT     demand
TLS_CIPHERS      kDH:AES

Protocols

There is no control over the protocol level used. clients can use SSLv3 or TLSv1.0

Ciphers

    TLSCipherSuite          kDH:AES

Strongest available ciphers only

Certificate Handling

openldap clients expects the CA for the server for verification

Certificate Authority

     TLS_CACERT      /etc/openldap/rhel5-32.example.com.ca.pem

Root certificate for the certificate presented by the server

Comments