TinyCA2 & 389-DS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello, Jeff.

I am working with the current release of RHDS towards bringing an LDAP
infrastructure online at my place of business.  The secure communications
bit is one of the first aspects of the system that I've gotten set up.  At
this time I am working with the systems that will be authenticating to the
directory, so I have not yet gotten to the business of replication; however,
I thought I'd post my thoughts on what it seems you might be dealing with.

I am using the easy-rsa set of scripts that is shipped with OpenVPN;
however, I do not think the software you're using to generate the
certificates is the source of the problem.

The first thing that I have found is that the netscape security services
library is very sensitive to what kind of certificate it is actually dealing
with.  I discovered this when attempting to use the server certificate I
generated to test TLS connectivity with ldapsearch from the directory
server's command line.  It complains quite loudly that it cannot trust the
certificate that it uses to identify the server as a client certificate.

conn=48 Netscape Portable Runtime error -8101 (Certificate type not approved
for application.)

I determined that the "certificate type" was in reference to the X509v3
Extended Key Usage specification.  For server certificates it is "TLS Web
Server Authentication" vs "TLS Web Client Authentication" for client
identification.

For local TLS testing purposes, I issued a client certificate
"cn=test.client", created a test.client user under the appropriate branch in
the tree and voila.

Without further information, I would assume that the problem is that you
haven't provided your client with an appropriate client key.  Installing
your local Root CA is necessary and is a good start; however, whatever
client program you are using will need some way to complete the handshake
with the server.

If this doesn't get you on your way, run a tail -f
/var/log/dirsrv/slapd-[instance]/access while your client system is trying
to connect to the server and put it in a response to this thread.

Stephen Spencer
Lawrence, KS

-- 
You know, I used to think it was awful that life was so unfair. Then I
thought, wouldn't it be much worse if life were fair, and all the terrible
things that happen to us come because we actually deserve them? So, now I
take great comfort in the general hostility and unfairness of the universe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20100315/1c486731/attachment.html 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux