On Wed, 2016-04-06 at 12:03 +0000, warron.french@xxxxxxxxx wrote: > Good morning Mr. Brown, > > Here is the results of your first query; executing the certutil command as you > presented it (with adding my instance): > certutil -L -d /etc/dirsrv/slapd-E2WAN/ > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > wsf-LabCA.lab.aero.org CT,, > wsf-LabLDAP.crt u,u,u > > ///////// > Here is the answer to your question about a CA referenced in my > /etc/openldap/ldap.conf; I executed: > root@wsf-LabLDAP:~> cat /etc/openldap/ldap.conf > # > # LDAP Defaults > # > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > > #BASE dc=example,dc=com > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > > #SIZELIMIT 12 > #TIMELIMIT 15 > #DEREF never > > > TLS_CACERTDIR /etc/openldap/cacerts > URI ldaps://wsf-LabLDAP.lab.aero.org/ > BASE dc=lab,dc=aero,dc=org > > MY QUESTION is why do I need to reference anything with OpenLDAP, if I am using > 389-ds, is it simply a place to put things without creating a separate > directory structure? I do not know if my CA certificate is in the correct > place; perhaps it is not because I knew I wasn't using OpenLDAP, I am using > 389-ds, and I didn't understand the implementation steps properly and so I 'did > it my way.' 389-ds is the server component. However, the ldapsearch utility comes from openldap and has it's OWN ca store. This is why you need to configure both parts. > > I store my certs up under /etc/pki/CA/certs; as shown below: > root@wsf-LabLDAP:/etc/pki/CA/certs> ls > wsf-LabCA.crt wsf-LabLDAP-AdminServer.crt wsf-LabLDAP.crt > > I am running CentOS-6.6; can I still get support here in this website? > > Mr. Brown, I can produce the output of an ldapsearch command and something that > I believe confirms your suspicion; but I don't know what to do to fix the > problem (in my VMs or on my REAL server). Here is the ldapsearch I executed > and the results: > root@wsf-LabLDAP:/> ldapsearch -d 5 -x -L -b 'dc=lab,dc=aero,dc=org' > ldap_create > ldap_sasl_bind > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP wsf-LabLDAP.lab.aero.org:636 > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying 192.168.2.243:636 > ldap_pvt_connect: fd: 3 tm: -1 async: 0 > attempting to connect: > connect success > TLS: certdb config: configDir='/etc/openldap/cacerts' > tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly > TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 > error. > TLS: loaded CA certificate file /etc/openldap/cacerts/415ee41f.0 from CA > certificate directory /etc/openldap/cacerts. > TLS: skipping 'authconfig_downloaded.pem' - filename does not have expected > format (certificate hash with numeric suffix) > TLS: certificate [CN=wsf- > LabLDAP.lab.aero.org,OU=Aerospace,O=Aerospace,L=Chantilly,ST=Virginia,C=US] is > not valid - error -8181:Peer's Certificate has expired.. > TLS: error: connect - force handshake failure: errno 0 - moznss error -8157 > TLS: can't connect: TLS error -8157:Certificate extension not found.. > ldap_err2string > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > Can you please lead me down the path of solving this? I noticed you are a Red > Hat Software Engineer; I hope that means you will still be able to support me > on CentOS (but I guess RedHat owns CentOS now). > This is a public mailing list, so my corporate affiliation means little in terms of whether I help you or not! For this, it looks like it's not able to find the ca. Look at these lines: TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 > error.> TLS: loaded CA certificate file /etc/openldap/cacerts/415ee41f.0 from CA > certificate directory /etc/openldap/cacerts.> TLS: skipping 'authconfig_downloaded.pem' - filename does not have expected > format (certificate hash with numeric suffix)> TLS: certificate [CN=wsf- > LabLDAP.lab.aero.org,OU=Aerospace,O=Aerospace,L=Chantilly,ST=Virginia,C=US] is > not valid - error -8181:Peer's Certificate has expired.. So you should take the current CA cert from the slapd instance: certutil -L -d /etc/dirsrv/slapd-E2WAN/ -n wsf-LabCA.lab.aero.org -a > /etc/openldap/cacerts/wsf-LabCA.lab.aero.org.pem Then you can make these valid for openldap to use: cd /etc/openldap/cacerts cacertdir_rehash This will recreate the hash -> cert symlinks. From there, re-run your ldap search command: ldapsearch -d 5 -x -L -b 'dc=lab,dc=aero,dc=org' If you still fail with: not valid - error -8181:Peer's Certificate has expired..> You have bigger problems than ldap. Otherwise, I hope this works for you. -- Sincerely, William Brown Software Engineer Red Hat, Brisbane
Attachment:
signature.asc
Description: This is a digitally signed message part
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
