Which three statements are true about the configuration of OpenLdap secure encrypted
connections?
A.
TLS and ldaps should not both be selected.
B.
To enable idaps, you must download the Certifying Authority (CA) Certificate.
C.
To enable TLS, you must download the Certifying Authority (CA) Certificate.
D.
The certificate is needed to verify ownership of the secret key used for encryption.
E.
There is a command-line alternative to the Authentication Configuration Tool to enable the
encrypted LDAP communication.
Explanation:
Transport Layer Security (TLS) can be used to provide data integrity and
confidentiality protection. OpenLDAP supports negotiation of TLS (SSL) via both StartTLS andldaps://.
Answer: B, C and E.
Reason:
Not A, because ldaps refers to “LDAP over TLS/SSL” or “LDAP Secured”. If TLS in this context refers to StartTLS, then apparently, once initiated, there is no difference between ldaps:// and StartTLS.
http://www.openldap.org/faq/data/cache/185.html
B and C: If you configure LDAP to use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to secure
the connection to the LDAP server, you need a public certificate that clients can download. You can
obtain certificates from a Certification Authority (CA) or you can use the openssl command to create the
certificate.
Not D, because a digital certificate certifies the ownership of a public key by the named subject of the certificate.
https://en.wikipedia.org/wiki/Certificate_authority
E: The commandline utility is authconfig.
# authconfig –enableldap –enableldapauth \
–ldapserver=ldap://ldap.mydom.com:389 \
–ldapbasedn=”ou=people,dc=mydom,dc=com” \
–enableldaptls \
–ldaploadcacert=https://ca-server.mydom.com/CAcert.pem \
–update
Answer: A,C and E.
A. Is correct because Oracle Linux System Administration Manual from class says:
Do not select “Use TLS to encrypt connections” if the server URL uses a secure protocol (ldaps).
B. Is not correct because the questions says, “To enable idaps”. Not ldap