SECURITY ISSUES

LDAP, used without secure connections (SSL/TLS) is extremely dangerous.
Why? Because passwords get shuffled around in clear text.

* What needs to have SSL support

EVERYTHING.  You need the OpenSSL libraries, the Cyrus SASL libraries,
the openldap libraries or netscape SDK libraries with SSL support
compiled in, the NSS and PAM libraries with SSL support compiled in,
and of course the server serving the LDAPS protocol (netstat -tn,
check for listening on port ssl-ldap).

Use the Netscape's address book to check for LDAPS support:
create an address book with your server's hostname and check the
secure connection check box.  Now try to search on it.  If it fails,
you don't have it, so back to the compile table.

Maybe you need to activate it on the /etc/rc.d/init.d/ldap resource
file.  Change the line that says daemon slapd by daemon slapd -h ldaps://

Note that there seems to be a bug in slapd as of version openldap 2.0.7
that will only allow listening to only ONE protocol, either LDAPS or
LDAP.  Don't pay attention to the man pages.

You wouldn't want your passwords flying around in the clear!

* Servers that support secure connections
OpenLDAP v1 does not have support for secure connections, so if you're using
it, upgrade to v2 or iPlanet Directory Server

Once you're sure that your server supports secure connections,
configure /etc/ldap.conf (the PAM/NSS client configuration file)
to use version 3 of the protocol (ldap_version 3) and secure connections
(ssl yes).

Meanwhile, don't even think about using LDAP!
