Discussion:
LDAP TLS/SSL certificates and easy-rsa
Predrag Punosevac
2013-11-19 15:09:47 UTC
Permalink
This is not an OpenBSD question but when it comes to competency this
group is second to none so I am asking here for help.

I am trying to secure my LDAP server (stack OpenBSD ldapd) using
starttls method. Since I recently I dealt quite a bit with OpenVPN it
occurred to me that easy-rsa could be used to generate certificates for
LDAP. Could somebody please confirm this?

P.S. I have read man smarttls and have no problem following it.
Giancarlo Razzolini
2013-11-19 15:35:15 UTC
Permalink
Post by Predrag Punosevac
This is not an OpenBSD question but when it comes to competency this
group is second to none so I am asking here for help.
I am trying to secure my LDAP server (stack OpenBSD ldapd) using
starttls method. Since I recently I dealt quite a bit with OpenVPN it
occurred to me that easy-rsa could be used to generate certificates for
LDAP. Could somebody please confirm this?
P.S. I have read man smarttls and have no problem following it.
Predrag,

In short, openvpn's easy-rsa can indeed generate the certs. Now,
elaborating, to securely use your server, you will have to distribute
the ca certificate across all your ldap clients and make sure they're
using it to validate the cert your ldap server presents. Better yet,
generate ssl client certs and use them to communicate with the server,
so you can have the same level of security that openvpn has between
servers and clients (the only thing you won't have is the hmac
firewall). The easy-rsa scripts provide a full PKI and I did used it's
certs for other uses than openvpn itself.

Regards,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
Loading...