On Wed, 2016-04-13 at 01:45 +0000, xinhuan zheng wrote: > Hello Mr. Brown, > > I found that the procedure you give me is part of my problem. I ended up with > running remove-ds-admin.pl command then re-create my directory server instance > and admin server instance. Luckily I kept answers file and ldif data. I also > re-run the setupssl2.sh script. Since this time I didn't mess up with > environment variables, it did go through successfully. You should not have needed to do that. > I also did go through your procedure, and successfully run the ldapsearch > command. However, how do I know "ldapsearch -x -L -b 'dc=christianbook,dc=com'" > uses secure connection or not? I tail my access log, and it shows something > like below: > > [12/Apr/2016:21:24:47 -0400] conn=46 op=0 EXT oid="1.3.6.1.4.1.1466.20037" > name="startTLS" > [12/Apr/2016:21:24:47 -0400] conn=46 op=0 RESULT err=0 tag=120 nentries=0 > etime=0 > [12/Apr/2016:21:24:47 -0400] conn=46 op=-1 fd=64 closed - Peer does not > recognize and trust the CA that issued your certificate. > [12/Apr/2016:21:26:46 -0400] conn=47 fd=64 slot=64 connection from ::1 to ::1 > [12/Apr/2016:21:26:46 -0400] conn=47 op=0 BIND dn="" method=128 version=3 > [12/Apr/2016:21:26:46 -0400] conn=47 op=0 RESULT err=0 tag=97 nentries=0 > etime=0 dn="" > [12/Apr/2016:21:26:46 -0400] conn=47 op=1 SRCH base="dc=christianbook,dc=com" > scope=2 filter="(objectClass=*)" attrs=ALL > [12/Apr/2016:21:26:46 -0400] conn=47 op=1 RESULT err=0 tag=101 nentries=103 > etime=0 notes=U > [12/Apr/2016:21:26:46 -0400] conn=47 op=2 UNBIND > [12/Apr/2016:21:26:46 -0400] conn=47 op=2 fd=64 closed - U1 > > It did say "Peer does not recognize and trust the CA that issued your > certificate." However, it did return 103 entries for the ldapsearch. I don't > understand that. Is the secure connection successfully established or is it > actually failed back to non-secure connection? If you look in the ldap client config, /etc/openldap/ldap.conf, you likely have TLS_REQCERT set to NEVER or ALLOW. This means it checks the CA, but will not fail on an verification failure. So it is a "secure" connection, but the client hasn't validated the CA. > > Thanks, > - xinhuan > -- > 389 users mailing list > 389-users@%(host_name)s > http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx -- Sincerely, William Brown Software Engineer Red Hat, Brisbane
Attachment:
signature.asc
Description: This is a digitally signed message part
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
