Hello all,

I’m a newbie, learning how to install and configure my first ldap server. Two of the options still confuse me. TSL/SSL and SSSD. Can someone please give me a quick run down on what these are.

What is TSL/SSL? I guessed that it was a secure method of communication. And I know it has something to do with CA management. But that’s the end of my knowledge.

What is SSSD? From my web searches, I understand that it provides a common interface for all authorization requests to go to the LDAP server. And I gathered that it could be used to cache the user info so that someone could login to a laptop when not connected to the LDAP server.

Most importantly, how do these two go together with LDAP? Is it an either or option?


Ok. I think I have a basic idea. SSSD provides better management of the user authentication and its communication between the LDAP server and clients. Instead of manually transferring across individual file information, the SSSD service acts as a go-between. It provides faster caching than previous methods. And it provides offline authentication, based on cached information. This is the part I really care about. I also understand that the SSSD service requires TSL/SSL communication to work with LDAP.

I now understand that TSL/SSL provides encrypted communication between LDAP servers and clients. Encryption good, especially when dealing with user authentication. And I understand that TSL/SSL requires certificates, which is where CA management comes in. The exchange of certificates allow the client and server to establish that both are trustworthy sources before starting encrypted communication. They use a third part Certificate Authority (CA) to verify this. And it happens that openSuse provides the service to function as a certificate authority service. Great.

I have read up on the basic idea of how certificates work. That it is a hierarchy of trust, starting with the root certificate authority (CA). The root CA then creates other certificates, which are subordinate to it. These certificates are what the LDAP client and server use to verify trust. So can someone please give me a how-to step for using YAST to create certificates for LDAP. I see that under CA management, I can create server certificates and client certificates. Do I need one for my LDAP server and one for my LDAP client? What is the recipe here? And where does the common server certificate come in?

Thanks in advance.

Can anyone give me a link at least. I’m searching through forum archives to find an answer on how to setup certificates. But if someone already knows where I can find that answer, I’d love a link. Thanks.

On 07/18/2012 01:46 AM, nickninevah wrote:
> Can anyone give me a link at least. I’m searching through forum
> archives to find an answer on how to setup certificates. But if someone
> already knows where I can find that answer, I’d love a link. Thanks.

first: i have never done what you are trying to do (set up LDAP with
TSL/SSL and SSSD) so, with that i offer only what i can:

second, what is TSL? Wikipedia doesn’t know! Google also doesn’t know!
but, both of those do know what TLS/SSL is, and i think spelling is
important to computers, because they can’t know what you meant to type…

so, these google searches turns up lots of guidance for you:

first, from the documents section of the SUSE/openSUSE universe:

then, from the openSUSE wiki:

and also, from the openSUSE forums:

and maybe least important from the mailing list archives:

and, not to forget that there could possibly/maybe be some mostly
authoritative and competent assistance outside of the SUSE/openSUSE
universe, lets look elsewhere also:

in those you will find multiple links to how-tos, guides, step-by-step
instructions, previous users questions and answers, problems &
solutions, and etc…i think.

happy hunting…