UPDATED: Using certs from MS CA server

"Joshua M. Miller" <joshua@xxxxxxxxxxxxxxxxx> · Mon, 16 Jul 2007 09:21:59 -0700

Hi Jake,

If you are using a self-signed certificate (ie, the CN on the CA cert is 
the same domain as the CN on the LDAP cert) then OpenLDAP will reject 
the certificate by default.

You can see from the message that it found the certificate by the 
message "certificate verify failed" in the error message.

If you want to keep using this certificate, you can add the following 
line to your /etc/openldap/ldap.conf:

TLS_REQCERT never

This will allow ldapsearch to function while ignoring this error.

Please note the consequences of this action in the man page for ldap.conf.

Good luck,
--
Joshua M. Miller - RHCE,VCP

J Davis wrote:
Hello,

I have FDS 1.0.4 running using an SSL certificate generated by an 
Microsoft windows 2003 CA server.
I choose this method as opposed to the setupssl.sh script from the wiki 
because I have read in the list archives that it is the best way to 
avoid trust issues when setting up PassSync over SSL between FDS and AD. 
I'm having a hard time finding references for configuring this properly 
and I know very little about SSL certificates so I'm making some guesses 
and likely missing a crucial step or two.
The problem is that when trying to bind to the FDS using SSL I get 
certificate verification errors.

 > # ldapsearch -x -H ldaps://localhost/
 > ldap_bind: Can't contact LDAP server (-1)
 >         additional info: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Here's how I set up the certificates...
1. Generated a CSR using the FDS console wizard and submitted it to the 
MS CA.
2. Imported the CA certificate (called "it") and the signed 
"server-cert" resulting from step 1 from the MS CA using the FDS admin 
console.
3. Enabled SSL (port 636) in the directory server using server-cert from 
step 1.

I used certutil to display the list of certificates in the FDS cert db.
 > [alias]# ../shared/bin/certutil -L -d . -P slapd-<instance>-
 > server-cert    u,u,u
 > it                   CT,,

Then verified that "server-cert" was considered valid.
 > [alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -P 
slapd-<instance>-
 > Enter Password or Pin for "NSS Certificate DB":
 > certutil-bin: certificate is valid

I also verified that that I can connect using openssl client.
 > # openssl s_client -connect localhost:636 -showcerts -CAfile 
/path/to/it_ca.crt
  --snip--
 >     Verify return code: 0 (ok)
 > ---

Any hints as to what I might be doing wrong are greatly appreciated.

Thanks,
-Jake

------------------------------------------------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users