Ldap + TLS

Bonjour,

j'essaie d'installer un serveur LDAP + TLS.

Mon probleme est au niveau du TLS. Avec juste mon serveur LDAP, j'arrive a authentifer des users mais j'arrive pas a integrer le TLS.

Je ne comprend pas pourquoi ma conf ne marche pas.

Voici mes fichiers de conf :

slapd.conf coté serveur

# 
# See slapd.conf(5) for details on configuration options. 
# This file should NOT be world readable. 
# 

include  /etc/openldap/schema/freeradius.schema 
include  /etc/openldap/schema/corba.schema 
include  /etc/openldap/schema/core.schema 
include  /etc/openldap/schema/cosine.schema 
include  /etc/openldap/schema/duaconf.schema 
include  /etc/openldap/schema/dyngroup.schema 
include  /etc/openldap/schema/inetorgperson.schema 
include  /etc/openldap/schema/java.schema 
include  /etc/openldap/schema/misc.schema 
include  /etc/openldap/schema/nis.schema 
include  /etc/openldap/schema/openldap.schema 
include  /etc/openldap/schema/ppolicy.schema 
include  /etc/openldap/schema/collective.schema 

# Allow LDAPv2 client connections.  This is NOT the default. 
allow bind_v2 

# Do not enable referrals until AFTER you have a working directory 
# service AND an understanding of referrals. 
#referral ldap://root.openldap.org 

pidfile  /var/run/openldap/slapd.pid 
argsfile /var/run/openldap/slapd.args 

# Load dynamic backend modules: 
# modulepath /usr/lib/openldap # or /usr/lib64/openldap 
# moduleload accesslog.la 
# moduleload auditlog.la 
# moduleload back_sql.la 
# moduleload denyop.la 
# moduleload dyngroup.la 
# moduleload dynlist.la 
# moduleload lastmod.la 
# moduleload pcache.la 
# moduleload ppolicy.la 
# moduleload refint.la 
# moduleload retcode.la 
# moduleload rwm.la 
# moduleload syncprov.la 
# moduleload translucent.la 
# moduleload unique.la 
# moduleload valsort.la 

# The next three lines allow use of TLS for encrypting connections using a 
# dummy test certificate which you can generate by changing to 
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on 
# slapd.pem so that the ldap user or group can read it.  Your client software 
# may balk at self-signed certificates, however. 
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt 
TLSCertificateFile /etc/pki/tls/certs/slapd.pem 
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem 

#TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 
#TLSCACertificateFile /etc/pki/tls/certs/server.pem 
#TLSCertificateFile /etc/pki/tls/certs/server.pem 
#TLSCertificateKeyFile /etc/ldap/private.pem 
#TLSVerifyClient never 

#TLSCipherSuite  HIGH:MEDIUM:+SSLv2:+SSLv3:RSA 
#TLSVerifyClient  allow 

# Sample security restrictions 
# Require integrity protection (prevent hijacking) 
# Require 112-bit (3DES or better) encryption for updates 
# Require 63-bit encryption for simple bind 
# security ssf=1 update_ssf=112 simple_bind=64 

# Sample access control policy: 
# Root DSE: allow anyone to read it 
# Subschema (sub)entry DSE: allow anyone to read it 
# Other DSEs: 
#  Allow self write access 
#  Allow authenticated users read access 
#  Allow anonymous users to authenticate 
# Directives needed to implement policy: 
# access to dn.base="" by * read 
# access to dn.base="cn=Subschema" by * read 
# access to * 
# by self write 
# by users read 
# by anonymous auth 
# 
# if no access controls are present, the default policy 
# allows anyone and everyone to read anything but restricts 
# updates to rootdn.  (e.g., "access to * by * read") 
# 
# rootdn can always read and write EVERYTHING! 

####################################################################### 
# ldbm and/or bdb database definitions 
####################################################################### 

database bdb 
suffix  "dc=example,dc=org" 
checkpoint 1024 15 
rootdn  "cn=Manager,dc=example,dc=org" 
# Cleartext passwords, especially for the rootdn, should 
# be avoided.  See slappasswd(8) and slapd.conf(5) for details. 
# Use of strong authentication encouraged. 
#rootpw  astrium 
rootpw  {SSHA}BSZ3iz45sm4liKdQXE2aoXpuXT88rFWa 

# The database directory MUST exist prior to running slapd AND  
# should only be accessible by the slapd and slap tools. 
# Mode 700 recommended. 
directory /var/lib/ldap 

# Indices to maintain for this database 
index objectClass                       eq,pres 
index ou,cn,mail,surname,givenname      eq,pres,sub 
index uidNumber,gidNumber,loginShell    eq,pres 
index uid,memberUid                     eq,pres,sub 
index nisMapName,nisMapEntry            eq,pres,sub 

# Replicas of this database 
#replogfile /var/lib/ldap/openldap-master-replog 
#replica host=ldap-1.example.com:389 starttls=critical 
#     bindmethod=sasl saslmech=GSSAPI 
#     authcId=host/ldap-master.example.com@EXAMPLE.COM 


# enable monitoring 
database monitor 

# allow onlu rootdn to read the monitor 
access to * 
        by dn.exact="cn=Manager,dc=astrium,dc=fr" read 
        by * none 

ldap.conf coté serveur

# 
# LDAP Defaults 
# 

# See ldap.conf(5) for details 
# This file should be world readable but not world writable. 

#BASE dc=example,dc=com 
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 

#SIZELIMIT 12 
#TIMELIMIT 15 
#DEREF  never 
URI ldaps://127.0.0.1/ 
BASE dc=example,dc=org 
#TLS_CACERTDIR /etc/openldap/cacerts 
TLS_CACERT /etc/openldap/cacerts/ca.pem 

ldap.conf coté client

# 
# LDAP Defaults 
# 

# See ldap.conf(5) for details 
# This file should be world readable but not world writable. 

#BASE dc=example,dc=com 
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 

#SIZELIMIT 12 
#TIMELIMIT 15 
#DEREF  never 
URI ldaps://192.168.0.2/ 
BASE dc=example,dc=org 
#TLS_CACERTDIR /etc/openldap/cacerts 
TLS_CACERT /etc/openldap/cacerts/ca.pem 

Quelqu'un pourrait m'aider svp??