Re: tls_checkpeer yes problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 2009-02-05 at 16:12 +0100, Thorsten Scherf wrote:
> On [Thu, 29.01.2009 13:32], John A. Sullivan III wrote:
> >Hello, all.  This may be a bit off-topic as it is primarily an ldap
> >client issue but I am having a bear of a time getting my test centos
> >clients to access fds.  The problem is tls_checkpeer.  I do want it set
> >to yes but this breaks access.  It is as if the directory server's cert
> >cannot be validated against the CA cert.  Here are the pertinent
> >settings from my centos client ldap.conf (as you can see, I've tried
> >many combinations):
> >
> >uri ldap://ldap.mycompany.com/
> >#host ldap.mycompany.com
> >#ssl on
> >ssl start_tls
> >#tls_cacertdir /etc/pki/tls/certs
> >tls_cacertfile /etc/pki/tls/certs/SSICA.pem
> >pam_password md5
> >tls_checkpeer yes
> >tls_ciphers TLSv1
> >
> >An strace shows that the SSICA.pem file is opened.  Apparently, this is
> >a problem in Ubuntu because of a change to gnutls.  However, I can
> >confirm the combination of uri ldap://, ssl start_tls, and tls_certfile
> >rather than tls_certdir work on Ubuntu.  My problem is redhat style
> >systems.
> >
> >Our test bed is CentOS 5.2.  Does anyone have this working on newer
> >redhat based systems? If so, with what configuration? Thanks - John
> 
> gnutls has a bug in some ubunto versions. This prevents correct
> certificate validation. See here:
> 
> https://bugs.launchpad.net/ubuntu/+source/gnutls12/+bug/305264
> 
> How did you test access to FDS on Red Hat systems? If you use OpenLDAP
> commandline tools like ldapsearch to get access to FDS, you have to run
> cacertdir_rehash on the directory where the CA cert is stored. What is
> the output from:
> 
> # openssl s_client -connect your_host_fqdn:443
> 
> (make sure you have the cacert available in ca-bundle.crt)
> 
> Happy Day.
> Thorsten
<snip>
Bizarre! It works now! I had been trying actual logins to test.  I
flushed ncsd countless times.  For hours, I could not get it to work.
Now that I've let is sit for a couple of days, I set tls_checkpeer to
yes and LDAP users can login fine.

I did use opessn s_client as you suggested. I added -verify to force CA
validation and changed the port to 636.  If I did not supply -CAfile, it
worked and said the CA was self-signed (true) and if I did supply
-CAfile, it worked as well.  Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux