Configuration for LDAP client

[2] Configure LDAP server
[root@master ~]# cp /etc/pki/tls/certs/server.* /etc/openldap/cacerts/
[root@master ~]# chown ldap. /etc/openldap/cacerts/*
[root@master ~]# vi /etc/openldap/slapd.conf

include/etc/openldap/schema/core.schema
include/etc/openldap/schema/cosine.schema
include/etc/openldap/schema/inetorgperson.schema
include/etc/openldap/schema/nis.schema

# line 10: add these lines
TLSCertificateFile /etc/openldap/cacerts/server.crt
TLSCertificateKeyFile /etc/openldap/cacerts/server.key

[root@master ~]# /etc/rc.d/init.d/ldap restart
Stopping slapd:[ OK ]
Checking configuration files for slapd: /etc/openldap/slapd.conf: line 117: rootdn is always granted unlimited privileges.
/etc/openldap/slapd.conf: line 121: rootdn is always granted unlimited privileges.
config file testing succeeded[ OK ]
Starting slapd: [ OK ]
[3] Config on Client
[root@www ~]# vi /etc/openldap/ldap.conf

# add at the bottom
URI ldaps://10.0.0.100/
BASE dc=server,dc=world
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow

[root@www ~]# vi /etc/ldap.conf

# near bottom
uri ldap://10.0.0.100/
ssl start_tls# change
tls_cacertdir /etc/openldap/cacerts
pam_password md5
[4] Configuration is completed. Connection is encrypted like below.
# for normal connection, password is shown ( yellow words )
[root@master ~]# tcpdump port ldap -i eth0 -X -s 1024
16:39:34.551462 IP 192.168.0.50.50530 > master.server.world.ldap: P 137:237(100) ack 349 win 108
0x0000: 4500 0098 a57d 4000 4006 1342 c0a8 0032 E....}@.@..B...2
0x0010: c0a8 001e c562 0185 7f88 5b3e 311f 4816 .....b....[>1.H.
0x0020: 8018 006c 0650 0000 0101 080a fffe ffc3 ...l.P..........
0x0030: 001a da06 3062 0201 0360 3e02 0103 042a ....0b...`>....*
0x0040: 7569 643d 736c 6573 2c6f 753d 5065 6f70 uid=sles,ou=Peop
0x0050: 6c65 2c64 633d 7365 7276 6572 2d77 6f72 le,dc=server
0x0060: 6c64 2c64 633d 696e 666f 800d 6869 726f ux,dc=world..pass
0x0070: 6b75 6e74 616e 6664 37a0 1d30 1b04 1931 wordcent..0...1.
0x0080: 2e33 2e36 2e31 2e34 2e31 2e34 322e 322e 3.6.1.4.1.42.2.2
0x0090: 3237 2e38 2e35 2e31 7.8.5.1

# for encrypted connection, password is not shown
[root@master ~]# tcpdump port ldap -i eth0 -X -s 1024
16:43:41.240075 IP 192.168.0.50.37173 > master.server.world.ldap: P 902:976(74) ack 1656 win 143
0x0000: 4500 007e d2d4 4000 4006 e604 c0a8 0032 E..~..@.@......2
0x0010: c0a8 001e 9135 0185 6994 2ee0 17a9 5c4c .....5..i.....
0x0020: 8018 008f 613e 0000 0101 080a fffe f9b1 ....a>..........
0x0030: 001b cae8 1703 0100 2067 f3c9 a959 5eb8 .........g...y^.
0x0040: 828a 80c4 a6d0 1d49 ccf7 ebcb 3a0e 0468 .......i....:..h
0x0050: a4d6 3756 1639 dcc2 bf17 0301 0020 bb89 ..7v.9..........
0x0060: 34ab 231f 0457 513c 3901 5950 b95e 8287 4.#..wq<9.yp.^..
0x0070: 7c77 74c5 7391 9c8a cdb0 0523 9f8d |wt.s......#..