Re: TLS for dummies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

fedora-directory-users-request@xxxxxxxxxx wrote:

Date: Fri, 09 Dec 2005 12:05:18 -0700
From: Craig White <craigwhite@xxxxxxxxxxx>

Just basic stuff...I promise I have been through the wiki and the
Administrator's guide (managing SSL and SASL) several times.

Using openssl generated CA certificate and used that to sign CSR's from
console application and loaded them all into console application. Have
restarted FDS and it seems to be happy - but just to confirm...



MY PROBLEM
# ldapsearch -ZZ '(uid=jim)'
ldap_start_tls: Connect error (-11)
        additional info: Start TLS request accepted.Server willing to
negotiate SSL.

# tail -n4 /opt/fedora-ds/slapd-srv1/logs/access
[09/Dec/2005:11:55:26 -0700] conn=83 op=5 fd=68 closed - U1
[09/Dec/2005:12:00:58 -0700] conn=84 fd=68 slot=68 connection from
127.0.0.1 to 127.0.0.1
[09/Dec/2005:12:00:58 -0700] conn=84 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[09/Dec/2005:12:00:58 -0700] conn=84 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[09/Dec/2005:12:00:58 -0700] conn=84 op=-1 fd=68 closed - Encountered
end of file.

# tail -n 7 /etc/openldap/ldap.conf
URI     ldap://srv1.clsurvey.com
HOST    srv1.clsurvey.com
BASE dc=clsurvey,dc=com
TLS_CACERTDIR /etc/ssl
TLS_CACERT server.crt
pam_password md5
TLS_REQCERT allow

My thinking is that this somehow has something to do with the TLS_CACERT
in /etc/openldap/ldap.conf (the certificate for the client).
Please re-read http://www.openldap.org/doc/admin23/tls.html; it's quite clear about how to configure the CA cert. 
Note that "pam_password" is not an OpenLDAP config keyword.

Would this be the issue?

Is there a better method for creating the client certificate from either
the CA certificate (generated by openssl) or from the FDS Server
Certificate (also generated by openssl)?
Only CA certs may be used to generate other certs. The server cert is just that, nothing more. 

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux