Thanks, Joshua. This is very helpful. -Jake On 7/16/07, Joshua M. Miller <joshua at itsecureadmin.com> wrote: > > Hi David, > > If you are using a self-signed certificate (ie, the CN on the CA cert is > the same domain as the CN on the LDAP cert) then OpenLDAP will reject > the certificate by default. > > You can see from the message that it found the certificate by the > message "certificate verify failed" in the error message. > > If you want to keep using this certificate, you can add the following > line to your /etc/openldap/ldap.conf: > > TLS_REQCERT never > > This will allow ldapsearch to function while ignoring this error. > > Please note the consequences of this action in the man page for ldap.conf. > > Good luck, > -- > Joshua M. Miller - RHCE,VCP > > > J Davis wrote: > > Hello, > > > > I have FDS 1.0.4 running using an SSL certificate generated by an > > Microsoft windows 2003 CA server. > > I choose this method as opposed to the setupssl.sh script from the wiki > > because I have read in the list archives that it is the best way to > > avoid trust issues when setting up PassSync over SSL between FDS and AD. > > I'm having a hard time finding references for configuring this properly > > and I know very little about SSL certificates so I'm making some guesses > > and likely missing a crucial step or two. > > The problem is that when trying to bind to the FDS using SSL I get > > certificate verification errors. > > > > > # ldapsearch -x -H ldaps://localhost/ > > > ldap_bind: Can't contact LDAP server (-1) > > > additional info: error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > > > Here's how I set up the certificates... > > 1. Generated a CSR using the FDS console wizard and submitted it to the > > MS CA. > > 2. Imported the CA certificate (called "it") and the signed > > "server-cert" resulting from step 1 from the MS CA using the FDS admin > > console. > > 3. Enabled SSL (port 636) in the directory server using server-cert from > > step 1. > > > > I used certutil to display the list of certificates in the FDS cert db. > > > [alias]# ../shared/bin/certutil -L -d . -P slapd-<instance>- > > > server-cert u,u,u > > > it CT,, > > > > Then verified that "server-cert" was considered valid. > > > [alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -P > > slapd-<instance>- > > > Enter Password or Pin for "NSS Certificate DB": > > > certutil-bin: certificate is valid > > > > I also verified that that I can connect using openssl client. > > > # openssl s_client -connect localhost:636 -showcerts -CAfile > > /path/to/it_ca.crt > > --snip-- > > > Verify return code: 0 (ok) > > > --- > > > > Any hints as to what I might be doing wrong are greatly appreciated. > > > > Thanks, > > -Jake > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20070716/6bb9a8bf/attachment.html
