Re: TLS for dummies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

fedora-directory-users-request at redhat.com wrote:
> Date: Fri, 09 Dec 2005 12:05:18 -0700
> From: Craig White <craigwhite at azapple.com>
>
> Just basic stuff...I promise I have been through the wiki and the
> Administrator's guide (managing SSL and SASL) several times.
>
> Using openssl generated CA certificate and used that to sign CSR's from
> console application and loaded them all into console application. Have
> restarted FDS and it seems to be happy - but just to confirm...
>
>
>
> MY PROBLEM
> # ldapsearch -ZZ '(uid=jim)'
> ldap_start_tls: Connect error (-11)
>         additional info: Start TLS request accepted.Server willing to
> negotiate SSL.
>
> # tail -n4 /opt/fedora-ds/slapd-srv1/logs/access
> [09/Dec/2005:11:55:26 -0700] conn=83 op=5 fd=68 closed - U1
> [09/Dec/2005:12:00:58 -0700] conn=84 fd=68 slot=68 connection from
> 127.0.0.1 to 127.0.0.1
> [09/Dec/2005:12:00:58 -0700] conn=84 op=0 EXT
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [09/Dec/2005:12:00:58 -0700] conn=84 op=0 RESULT err=0 tag=120
> nentries=0 etime=0
> [09/Dec/2005:12:00:58 -0700] conn=84 op=-1 fd=68 closed - Encountered
> end of file.
>
> # tail -n 7 /etc/openldap/ldap.conf
> URI     ldap://srv1.clsurvey.com
> HOST    srv1.clsurvey.com
> BASE dc=clsurvey,dc=com
> TLS_CACERTDIR /etc/ssl
> TLS_CACERT server.crt
> pam_password md5
> TLS_REQCERT allow
>
> My thinking is that this somehow has something to do with the TLS_CACERT
> in /etc/openldap/ldap.conf (the certificate for the client).
>   

Please re-read http://www.openldap.org/doc/admin23/tls.html; it's quite 
clear about how to configure the CA cert.
Note that "pam_password" is not an OpenLDAP config keyword.
> Would this be the issue?
>
> Is there a better method for creating the client certificate from either
> the CA certificate (generated by openssl) or from the FDS Server
> Certificate (also generated by openssl)?
>   

Only CA certs may be used to generate other certs. The server cert is 
just that, nothing more.

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux