/usr/lib/ssl/misc/CA.sh -newca
Check that Common Name for your certificate is corresponding to your ldap server domain name or hostname. This command have create a certificate, you find it in the 'demoCA' directory.
Now, we generate a cert request and private key for the server ::
openssl req -new -nodes -keyout newreq.pem -out newreq.pem
/usr/lib/ssl/misc/CA.sh -sign
Then copy this security stuff like that:
cp demoCA/cacert.pem /etc/ssl/certs/ldap.cert
mv newcert.pem /etc/ssl/certs/ldap.csr
mv newreq.pem /etc/ssl/certs/ldap.key
chmod 600 /etc/ssl/certs/ldap.key
Then add to your /etc/ldap/sladp.conf:
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCertificateFile /etc/ssl/certs/ldap.csr
TLSCertificateKeyFile /etc/ssl/certs/ldap.key
TLSCACertificateFile /etc/ssl/certs/ldap.cert
TLSVerifyClient allow
And this to the /etc/ldap/ldap.conf:
TLS_CACERT /etc/ssl/certs/ldap.cert
TLS_REQCERT allow
-- from http://wiki.tryphon.org/Configure_OpenLDAP#Secure_LDAP
----------------------
or try instructions from http://wiki.osuosl.org/display/LNX/Openldap+and+Debian+Stable (does not quite seem to work) which is based on http://www.openldap.org/faq/data/cache/185.html
also check out http://www.modssl.org/docs/2.8/ssl_faq.html#cert-ownca