LDAP SSL Certificates
Our LDAP istances (clipboard, view) use a Moz-NSS database located at /etc/openldap/certs for handling SSL certificates. Here they come some maintenance commands using certutil and modutil.
On the LDAP (SLAPD) server
Re-create *.db files
sudo mkdir /etc/openldap/certs sudo modutil -create -dbdir /etc/openldap/certs
List certificates on the database
sudo certutil -d /etc/openldap/certs/ -L
Setup a CA Certificate
sudo certutil -d /etc/openldap/certs -A -n "StartSSL CA" -t TCu,Cu,Tuw -a -i /etc/openldap/cacerts/sub.class2.server.ca.pem
where sub.class2.server.ca.pem can be found at http://www.startssl.com/certs/sub.class2.server.ca.pem.
Remove password from the DB
sudo modutil -dbdir /etc/openldap/certs -changepw 'NSS Certificate DB'
Creates the .p12 file and imports it on the DB
sudo openssl pkcs12 -inkey gnome.key -in gnome.crt -export -out gnome.p12 -nodes -name 'LDAP-Certificate' sudo pk12util -i gnome.p12 -d /etc/openldap/certs
where gnome.key and gnome.crt are the names of the certificates you previously created at StartSSL.com.
On the clients (nslcd uses ldap.conf while sssd uses /etc/sssd/sssd.conf)
On /etc/openldap/ldap.conf
BASE dc=gnome,dc=org URI ldaps://ldap-back TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT demand
On /etc/sssd/sssd.conf
ldap_tls_cacert = /etc/openldap/cacerts/ca.pem ldap_tls_reqcert = demand ldap_uri = ldaps://ldap-back
How to test the whole setup
ldapsearch -x -b 'dc=gnome,dc=org' -D "cn=Replicator1,dc=gnome,dc=org" '(objectclass=*)' -H ldaps://ldap.gnome.org -W -v
s/ldap/view for testing it on view.gnome.org.