Craig White wrote: >Just basic stuff...I promise I have been through the wiki and the >Administrator's guide (managing SSL and SASL) several times. > >Using openssl generated CA certificate and used that to sign CSR's from >console application and loaded them all into console application. Have >restarted FDS and it seems to be happy - but just to confirm... > >lifted from /opt/fedora-ds/slapd-srv1/logs/errors >[09/Dec/2005:08:33:47 -0700] - Fedora-Directory/1.0.1 B2005.342.165 >starting up >[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in >backend userRoot, attempting to create one... >[09/Dec/2005:08:33:47 -0700] - Key for cipher AES successfully generated >and stored >[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher 3DES in >backend userRoot, attempting to create one... >[09/Dec/2005:08:33:47 -0700] - Key for cipher 3DES successfully >generated and stored >[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in >backend NetscapeRoot, attempting to create one... >[09/Dec/2005:08:33:48 -0700] - Key for cipher AES successfully generated >and stored >[09/Dec/2005:08:33:48 -0700] - No symmetric key found for cipher 3DES in >backend NetscapeRoot, attempting to create one... >[09/Dec/2005:08:33:48 -0700] - Key for cipher 3DES successfully >generated and stored >[09/Dec/2005:08:33:48 -0700] - slapd started. Listening on All >Interfaces port 389 for LDAP requests >[09/Dec/2005:08:33:48 -0700] - Listening on All Interfaces port 636 for >LDAPS requests > >MY PROBLEM ># ldapsearch -ZZ '(uid=jim)' >ldap_start_tls: Connect error (-11) > additional info: Start TLS request accepted.Server willing to >negotiate SSL. > > Looks like openldap and FDS are not responding to the startTLS operation the same way. Try ldapsearch -v ... or ldapsearch -d 1 ... ># tail -n4 /opt/fedora-ds/slapd-srv1/logs/access >[09/Dec/2005:11:55:26 -0700] conn=83 op=5 fd=68 closed - U1 >[09/Dec/2005:12:00:58 -0700] conn=84 fd=68 slot=68 connection from >127.0.0.1 to 127.0.0.1 >[09/Dec/2005:12:00:58 -0700] conn=84 op=0 EXT >oid="1.3.6.1.4.1.1466.20037" name="startTLS" >[09/Dec/2005:12:00:58 -0700] conn=84 op=0 RESULT err=0 tag=120 >nentries=0 etime=0 >[09/Dec/2005:12:00:58 -0700] conn=84 op=-1 fd=68 closed - Encountered >end of file. > ># tail -n 7 /etc/openldap/ldap.conf >URI ldap://srv1.clsurvey.com >HOST srv1.clsurvey.com >BASE dc=clsurvey,dc=com >TLS_CACERTDIR /etc/ssl >TLS_CACERT server.crt >pam_password md5 >TLS_REQCERT allow > >My thinking is that this somehow has something to do with the TLS_CACERT >in /etc/openldap/ldap.conf (the certificate for the client). > >Would this be the issue? > >Is there a better method for creating the client certificate from either >the CA certificate (generated by openssl) or from the FDS Server >Certificate (also generated by openssl)? > >Craig > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20051209/0525d9ec/attachment.bin
