
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
226
|
Chapter 7: Using LDAP for Authentication
TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose
when negotiating TLS connections, in decreasing order of preference. To see which
ciphers are supported by your local OpenSSL installation, issue this command:
openssl ciphers -v ALL
In addition to those specific ciphers, you can use any of the wildcards supported by
OpenSSL, which allow you to specify multiple ciphers with a single word. For exam-
ple, in Example 7-4,
TLSCipherSuite is set to HIGH:MEDIUM:+SSLv2; as it happens, HIGH,
MEDIUM, and +SSLv2 are all wildcards.
HIGH means “all ciphers using key lengths greater than 128 bits”; MEDIUM is short for
“all ciphers using key lengths equal to 128 bits”’ and
+SSLv2 means “all ciphers speci-
fied in the SSL protocol, Version 2, regardless of key strength.” For a complete expla-
nation of OpenSSL ciphers, including all supported wildcards, see the ciphers(1)
manpage.
TLSCertificateFile and TLSCertificateKeyFile are more obvious: they specify the
paths to your certificate file and private-key file, respectively. If both certificate and
key are combined in a single file, you can specify the same path for both parameters
(but see my note on the previous page).
slapd Startup Options for TLS
Okay, we’ve done everything