editing the script itself. Usage details are available in the
docstring.
+SSL/TLS
+-------
+
+It took me a bit of work to get [SSL/TLS][] working with my
+[[GnuTLS]]-linked OpenLDAP. First, you'll probably need to generate
+new SSL/TLS keys (`/etc/openldap/ssl/*`) with [certtool][] (see
+[[X.509_certificates]]). Then add the following lines to
+`/etc/openldap/slapd.conf`:
+
+ TLSCipherSuite NORMAL
+ TLSCACertificateFile /etc/openldap/ssl/ca.crt
+ TLSCertificateFile /etc/openldap/ssl/ldap.crt
+ TLSCertificateKeyFile /etc/openldap/ssl/ldap.key
+ TLSVerifyClient never
+
+Where `ca.crt`, `ldap.crt`, and `ldap.key` are your new CA,
+certificate, and private key. If you want to disable unencrypted
+connections completely, remove the `ldap://` entry from your `slapd`
+command line by editing (on Gentoo) `/etc/conf.d/slapd` so it has
+
+ OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
+
+Now you should be able to restart `slapd` so it will use the new
+configuration.
+
+Have clients running on your server use the local socket by editing
+`/etc/openldap/ldap.conf` to set:
+
+ URI ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock
+
+Test your server setup by running (on the server)
+
+ $ ldapsearch -x -b '' -s base '(objectclass=*)'
+
+Copy your CA over to any client machines (I put it in
+`/etc/openldap/ssl/ldapserver.crt`), and set them up with the
+following two lines in `/etc/openldap/ldap.conf`:
+
+ URI ldaps://ldapserver.example.com
+ TLS_CACERT /etc/openldap/ssl/ldapserver.crt
+
+Test your client setup by running (on the client)
+
+ $ ldapsearch -x -b '' -s base '(objectclass=*)'
+
+You can configure `shelldap` with the following lines in
+`~/.shelldap.rc`:
+
+ server: ldaps://ldapserver.example.com
+ tls: yes
+ tls_cacert: /etc/openldap/ssl/ldapserver.crt
+
+You can configure `mutt-ldap.py` with the following lines in
+`~/.mutt-ldap.rc`:
+
+ port = 636
+ ssl = yes
+
References
----------
[rfc4512]: http://tools.ietf.org/html/rfc4512
[shelldap]: http://projects.martini.nu/shelldap/
[mutts]: http://wiki.mutt.org/?QueryCommand
+[SSL/TLS]: http://en.wikipedia.org/wiki/Transport_Layer_Security
+[certtool]:http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html#Invoking-certtool
[schema]: http://www.oreillynet.com/pub/a/sysadmin/2006/11/09/demystifying-ldap-data.html
+
+[[!tag tags/linux]]
+[[!tag tags/tools]]