J Davis wrote: > Hello, > > I have FDS 1.0.4 running using an SSL certificate generated by an > Microsoft windows 2003 CA server. > I choose this method as opposed to the setupssl.sh script from the > wiki because I have read in the list archives that it is the best way > to avoid trust issues when setting up PassSync over SSL between FDS > and AD. I'm having a hard time finding references for configuring this > properly and I know very little about SSL certificates so I'm making > some guesses and likely missing a crucial step or two. > The problem is that when trying to bind to the FDS using SSL I get > certificate verification errors. > > > # ldapsearch -x -H ldaps://localhost/ > > ldap_bind: Can't contact LDAP server (-1) > > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed /usr/bin/ldapsearch is OpenLDAP ldapsearch. Did you follow these steps to tell it where to find the CA cert? http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients > > Here's how I set up the certificates... > 1. Generated a CSR using the FDS console wizard and submitted it to > the MS CA. > 2. Imported the CA certificate (called "it") and the signed > "server-cert" resulting from step 1 from the MS CA using the FDS admin > console. > 3. Enabled SSL (port 636) in the directory server using server-cert > from step 1. Where you restarted the directory server, did it say it was listening for LDAPS requests on port 636 in the error log? > > I used certutil to display the list of certificates in the FDS cert db. > > [alias]# ../shared/bin/certutil -L -d . -P slapd-<instance>- > > server-cert u,u,u > > it CT,, > > Then verified that "server-cert" was considered valid. > > [alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -P > slapd-<instance>- > > Enter Password or Pin for "NSS Certificate DB": > > certutil-bin: certificate is valid > > I also verified that that I can connect using openssl client. > > # openssl s_client -connect localhost:636 -showcerts -CAfile > /path/to/it_ca.crt > --snip-- > > Verify return code: 0 (ok) > > --- > > Any hints as to what I might be doing wrong are greatly appreciated. > > Thanks, > -Jake > > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20070716/f7580f58/attachment.bin
