Em 19-11-2013 13:09, Predrag Punosevac escreveu:
> This is not an OpenBSD question but when it comes to competency this
> group is second to none so I am asking here for help.
>
> I am trying to secure my LDAP server (stack OpenBSD ldapd) using
> starttls method. Since I recently I dealt quite a bit with OpenVPN it
> occurred to me that easy-rsa could be used to generate certificates for
> LDAP. Could somebody please confirm this?
>
> P.S. I have read man smarttls and have no problem following it.
>
Predrag,
In short, openvpn's easy-rsa can indeed generate the certs. Now,
elaborating, to securely use your server, you will have to distribute
the ca certificate across all your ldap clients and make sure they're
using it to validate the cert your ldap server presents. Better yet,
generate ssl client certs and use them to communicate with the server,
so you can have the same level of security that openvpn has between
servers and clients (the only thing you won't have is the hmac
firewall). The easy-rsa scripts provide a full PKI and I did used it's
certs for other uses than openvpn itself.
Regards,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
