Re: Fwd: Re: Make /etc/default/slapd automatically configurable
On Tue, Aug 10, 2010 at 12:05:33AM +0200, Petter Reinholdtsen wrote:
[Andreas B. Mundt]
We currently add the deprecated ldaps:/// protocoll here:
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
It would be nice if we would not need ldaps and could only use
TLS. This has to be checked.
I've checked, and we still need ldaps to be able to download the SSL
certificate from the LDAP server to the clients during the first boot.
If someone can come up with a way to extract it using TLS, I am all
for dropping ldaps.
It looks like it's possible using gnutls-cli >= 3.5.0.
gnutls-cli -p 389 --x509cafile /etc/ldap/certs/ca.crt --starttls-proto=ldap --save-cert=ldap.example.org.crt ldap.example.org < /dev/null