Re: ssl certificate problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Paolo Ercolani wrote:

Paolo Ercolani wrote:

   Hi. I'm new to this list and it's a week i'm really fighting with
   directory server. I followed some howtos, i downloaded a lot of
   documents but i can't get out of trouble. I need to make login from
   my linux boxes on ldap directory server. If i try to use my test
   user in clear mode i can do that. The problem is when i try to
   configure a self-signed certificate. I'll not describe all the tests
   i've done, i'll tell you just the last!! I created my cacert.pem on
   the ldapserver and i installed from the console. It goes and it's
   ok. Then i used openssl to generate a private key and a certificate
   request then i signed it. That's what i did:

      openssl genrsa -out privkey.pem 2048
      openssl req -new -key privkey.pem -out PEM.csr
      openssl ca -cert cacert.pem -in PEM.csr -out cert.pem
I copied cacert.pem, privkey.pem and cert.pem on the client and i 
   configured ldap.conf on it:
Is this /etc/openldap/ldap.conf? In order to get pam/nss working (I assume by "login" you mean login to the operating system) you need to configure pam/nss ldap to do TLS, which is the file /etc/ldap.conf, which takes the below parameters in slightly different format.
I don't know if you need TLS_CERT and TLS_KEY - are you attempting to do client cert auth - EXTERNAL bind? 

      URI ldaps://<ldapserver>:636
      BASE ou=UTENTI,o=postel,c=com
      host kingu.postel.com
      TLS_REQCERT allow
      TLS_CHECKPEER yes
      TLS_CACERTDIR /etc/ssl
      TLS_CACERT /etc/ssl/cacert.pem
      TLS_CERT /etc/ssl/cert.pem
      TLS_KEY /etc/ssl/privkey.pem
I activated ssl on my ldap server and i installed my cacert.pem on 
   it. i didn't anything else. I tried also to generate a certificate
   request from directory server and to sign it with my cacert.pem.
   Then i imported it like my server-cert. It imported it but login
   still didn't go.
>I'm unclear on this last step. What do you mean by login still didn't go? Because the access log excerpt below >would seem to indicate that the os did search for and find the login name.
Yes. Reading logs it seems login goes ok. But my client can't really login and i don't know what i can check. Client asks me again for password, but i'm sure it's the right one. Have you any ideas for checking something??? 

Thanks in advance.
Paolo.

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux