OpenLDAP with SSL
You must create or update Secure Sockets Layer (SSL) certificate files and client and server configuration files to use OpenLDAP with SSL.
Send the following files in ASCII to the z/TPF file system:
- cacert.pem
- This file is placed in the z/TPF file system (for example /certs/cacert.pem). This file is a bundle of certificates that are presented to the server during the SSL handshake and are used to verify that the server is the correct site that the client is communicating with.
- ldap.conf
- This file points the OpenLDAP client on the
z/TPF system to the cacert.pem file.
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-main.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERT /certs/cacert.pem #TLS_CIPHER_SUITE AES256-SHA // SSL cipher suite
Corresponding SSL certificate files must be on the platform
that contains the OpenLDAP server. For example:
- userCert/linuxLDAPCert.pem
- userKey/linuxLDAPKey.pem
- cacert.pem
The slapd.conf file on the platform that contains the OpenLDAP server must contain references to the corresponding
SSL certificate files on the server. For example, using the file names and directories that are
referenced in this topic, place the following lines of code just before the database definitions
section of the slapd.conf file:
#SSL
TLSCACertificateFile /cacert.pem
TLSCertificateFile /userCert/linuxLDAPCert.pem
TLSCertificateKeyFile /userKey/linuxLDAPKey.pem
#TLSCipherSuite AES128-SHA
TLSVerifyClient neverThe following example issues an OpenLDAP search request from the z/TPF
OpenLDAP client to the Linux® on IBM Z®
OpenLDAP server by using SSL. This example assumes
the files referenced previously are in place on your z/TPF and Linux on IBM Z system.
Note: The -ZZ
option ensures the command is processed by using SSL.
User: zfile ldapsearch -h linuxtpf.pok.ibm.com:389 -x -b 'dc=ibm,dc=com' -ZZ
System: 'departmentNumber=000000003'
`00zfile ldapsearch -h linuxtpf.pok.ibm.com:389 -x -b
'dc=ibm,dc=com' -ZZ 'depa
rtmentNumber=000000003'
CSMP0097I 11.19.15 CPU-B SS-BSS SSU-HPN IS-01
FILE0001I 11.19.15 START OF DISPLAY FROM ldapsearch -h linuxtpf.pok.ibm.com:...
# extended LDIF
#
# LDAPv3
# base <dc=ibm,dc=com. with scope subtree>
# filter: departmentNumber=000000003
# requesting: ALL
#
# 000000003, Employees, ibm.com _
dn: departmentNumber-000000003,ou=Employees, dc=ibm,dc=com
objectClass: inetOrgPerson
cn: John L
sn: Jones
departmentNumber: 000000001
departmentNumber: 000000003
employeeNumber: 222222222
telephoneNumber:: ODQ1LTQzMy0xMTexIA==
# SEARCH RESULT
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
END OF DISPLAY+
The following example shows the output messages on the
Linux on IBM Z
OpenLDAP server if the server was started with the
debug option (-d 256):
System: 51dc490c @(#) $OpenLDAP: slapd 2.4.34 (May 7 2013 11:29:24) $
kellyp@linuxtpf:/home/kellyp/LDAP2.4.34/openldap-2.4.34/servers/slapd
51dc490c slapd starting
51dc4921 conn=1000 fd=13 ACCEPT from IP=9.57.13.44:2060 (IP=9.56.224.21:389)
51dc4921 conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037
51dc4921 conn=1000 op=0 STARTTLS
51dc4921 conn=1000 op=0 RESULT oid= err=0 text=
51dc4921 conn=1000 fd=13 TLS established tls_ssf=56 ssf=56
51dc4921 conn=1000 op=1 BIND dn="" method=128
51dc4921 conn=1000 op=1 RESULT tag=97 err=0 text=
51dc4921 conn=1000 op=2 SRCH base="dc=ibm,dc=com" scope=2 deref=0
filter="(departmentNumber=000000003)"
51dc4921 conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
51dc4921 conn=1000 op=3 UNBIND
51dc4921 conn=1000 fd=13 closed