Re: [389-users] TinyCA2 & 389-DS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello, Jeff.

I am working with the current release of RHDS towards bringing an LDAP infrastructure online at my place of business.  The secure communications bit is one of the first aspects of the system that I've gotten set up.  At this time I am working with the systems that will be authenticating to the directory, so I have not yet gotten to the business of replication; however, I thought I'd post my thoughts on what it seems you might be dealing with.

I am using the easy-rsa set of scripts that is shipped with OpenVPN; however, I do not think the software you're using to generate the certificates is the source of the problem.

The first thing that I have found is that the netscape security services library is very sensitive to what kind of certificate it is actually dealing with.  I discovered this when attempting to use the server certificate I generated to test TLS connectivity with ldapsearch from the directory server's command line.  It complains quite loudly that it cannot trust the certificate that it uses to identify the server as a client certificate.

conn=48 Netscape Portable Runtime error -8101 (Certificate type not approved for application.)

I determined that the "certificate type" was in reference to the X509v3 Extended Key Usage specification.  For server certificates it is "TLS Web Server Authentication" vs "TLS Web Client Authentication" for client identification.

For local TLS testing purposes, I issued a client certificate "cn=test.client", created a test.client user under the appropriate branch in the tree and voila.

Without further information, I would assume that the problem is that you haven't provided your client with an appropriate client key.  Installing your local Root CA is necessary and is a good start; however, whatever client program you are using will need some way to complete the handshake with the server. 

If this doesn't get you on your way, run a tail -f /var/log/dirsrv/slapd-[instance]/access while your client system is trying to connect to the server and put it in a response to this thread.

Stephen Spencer
Lawrence, KS

--
You know, I used to think it was awful that life was so unfair. Then I thought, wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? So, now I take great comfort in the general hostility and unfairness of the universe.
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux