ldap download CA

OK, probably a really dumb question but
I have a few client machines ( opensuse 11.3 ) authenticating using
ldap and all works well ( if I don’t check use TLS )

The ldap server would seem to be set up to use the common certs I created during install ( on suse 11.1 )

If I check use TLS on the client it asks me to download the certificate …
…from where ???



Since no one else has answered your post yet, I’ll hazard a post although frankly my experience is using LDAP other than OpenLDAP and I haven’t personally setup your situation on SuSE specifically.

But, assuming (ugh) that OpenLDAP on SuSE manages your issue similar to other platforms…

Typically, all computing machines store authentication certificates (x500) in a common repository on the machine. This generally means that it doesn’t matter what application or utility you use to import/download a required certificate, it only has to be done and to the correct sub-store (category) in the local certificate repository… common methods people use to install/download certificates are web browsers, file transfer followed by running a certificate utility (like OpenSSL).

Now, as to the certificate TLS requires… Typically when LDAP is setup for a private Domain, a certificate needs to be generated to provide the basis for Domain-wide authentication. If you require public authentication (eg supporting a public website using the private Domain’s namespace) or do other Enterprise type things, then you will need to create a CA and configure it as a secondary CA to a public CA that permits such use (public CAs pay big money to be listed and installed by default in web browsers) so that anonymous clients will automatically trust your CA and the certificates it generates.

If you’re a small business which only needs internal LDAP authentication, then setting up a CA is only optional but advisable and if you do it of course it should be published appropriately with your DNS and LDAP. A possible alternative is to simply create a self-generated certificate somewhere, then configure it appropriately as authoritative for your LDAP Domain and distribute internally using any method I described earlier.

Probably the reason why you intend to implement TLS should guide you whether a simple or more complex/secure setup is required for your situation. If used publicly, then you need stronger security. If privately you may not need TLS or you can simply store the file in something like a network share.

And, don’t forget to backup your certificate(s) and store in an offline repository (eg thumbdrive), it’s everything to recover from a catastrophe… It could be bad if one day you lose your online certificates, have no backup and then be forced to hack your machines to gain any kind of access, especially if you configure Domain authentication for all file access.


Many thanks