How to test the new openldap with TLS1.1+ and 389 Directory Server
Get the new 389 Directory Server scratch builds:
F22 -
http://koji.fedoraproject.org/koji/taskinfo?taskID=8194738
F21 -
http://koji.fedoraproject.org/koji/taskinfo?taskID=8194917
[1] Install DS using setup-ds.pl. Then setup SSL on the Directory Server.
I use this script to setup SSL:
https://github.com/richm/scripts/blob/master/setupssl2.sh
./setupSSL2.sh /etc/dirsrv/slapd-INSTANCE 389 636
slapd-INSTANCE is an example, it is usually slapd-<hostname>. This can
also depend on what you specify during the server install. The script
also expects the Directory Manager DN to be "cn=directory manager".
[2] Next configure DS to set the minimum SSL version it will accept:
ldapmodify -h host -p port -D "cn=directory manager" -w password
cn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: off
-
replace: nsTLS
nsTLS: on
-
replace: sslVersionMin
sslVersionMin: TLS1.1
[3] Restart the Directory Server: restart-dirsrv
[4] Perform an ldapsearch using SSL
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-INSTANCE ldapsearch -xLLL -H
"<host>:<secure port>" -b "" -s base objectclass=*
example:
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-localhost ldapsearch -xLLL -H
"localhost.localdomain:636" -b "" -s base objectclass=*
Let me know if there are any questions.
Thanks,
Mark