Hi I'm trying to tighten up my ldap server using TLS. My (certainly wrong) method was this: Server: I made a CA certificate and rootca giving the FQDN of the server as the common name for both certs.using yast. I copied YaST-CA.pem from /etc/ssl/certs to /etc/srv/htdocs. Back in Yast->LDAP Server I added TLS and restarted. Client: Yast->LDAP Client, and changed' Addresses of LDAP Servers' from 127.0.0.1 to my FQDN and downloaded YaST-CA.pem, checking the 'LDAP TLS/SSL' box in the 'Secure Connection' section. 1. What is the correct way of doing this? 2. Does this confirm that TLS is working? (all this just for one login?) Thanks. L x Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=0 STARTTLS Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=0 RESULT oid= err=0 text= Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 fd=33 ACCEPT from IP=192.168.1.3:47402 (IP=0.0.0.0:389) Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 fd=33 TLS established tls_ssf=256 ssf=256 Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=1 BIND dn="" method=128 Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=1 RESULT tag=97 err=0 text= Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=2 SRCH base="dc=com" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=lynn2))" Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=2 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 fd=34 ACCEPT from IP=192.168.1.3:47403 (IP=0.0.0.0:389) Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=0 STARTTLS Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=0 RESULT oid= err=0 text= Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 fd=34 TLS established tls_ssf=256 ssf=256 Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=1 BIND dn="" method=128 Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=1 RESULT tag=97 err=0 text= Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=2 SRCH base="dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(objectClass=posixAccount) (uid=lynn2))" Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=2 SRCH attr=host authorizedService shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning uidNumber Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=3 BIND dn="uid=lynn2,ou=people,dc=com" method=128 Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=3 BIND dn="uid=lynn2,ou=people,dc=com" mech=SIMPLE ssf=0 Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=3 RESULT tag=97 err=0 text= Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=4 BIND anonymous mech=implicit ssf=0 Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=4 BIND dn="" method=128 Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=4 RESULT tag=97 err=0 text= Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=3 SRCH base="dc=com" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=lynn2))" Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=3 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text= Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=0 STARTTLS Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=0 RESULT oid= err=0 text= Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 fd=35 ACCEPT from IP=192.168.1.3:47404 (IP=0.0.0.0:389) Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 fd=35 TLS established tls_ssf=256 ssf=256 Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=1 BIND dn="" method=128 Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=1 RESULT tag=97 err=0 text= Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=2 SRCH base="dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=lynn2))" Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=3 SRCH base="dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=lynn2))" Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=4 SRCH base="dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=lynn2) (member=uid=lynn2,ou=people,dc=com)))" Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=4 SRCH attr=gidNumber Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text= Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=5 UNBIND Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 fd=34 closed Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 fd=35 closed (connection lost) Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 op=0 STARTTLS Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 op=0 RESULT oid= err=0 text= Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 fd=34 ACCEPT from IP=192.168.1.3:47405 (IP=0.0.0.0:389) Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 fd=34 TLS established tls_ssf=256 ssf=256 Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 op=1 BIND dn="" method=128 Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 op=1 RESULT tag=97 err=0 text= Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 op=2 SRCH base="dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=1002))" Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 fd=34 closed (connection lost) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org