From: "pkoelle@gmail.com" <pkoelle@gmail.com>
To: gentoo-server@lists.gentoo.org
Subject: Re: [gentoo-server] ldap + tls issues
Date: Mon, 07 Apr 2008 20:15:14 +0200 [thread overview]
Message-ID: <47FA64B2.5060400@gmail.com> (raw)
In-Reply-To: <47FA5685.5080406@cdf123.net>
Chris Frederick schrieb:
> Hi all,
>
> I'm working on migrating a network to allow for more users and easier
> scaling. I'm also splitting up the main server into separate tasks. As
> long as I'm doing all this I thought it would be prudent to add an LDAP
> server for authentication/email/etc... I'm running gentoo-hardened on
> the ldap server and I have been following the gentoo ldap guides here:
>
> http://www.gentoo.org/doc/en/ldap-howto.xml
> http://gentoo-wiki.com/HOWTO_LDAPv3
>
> This got me a decent setup, and everything works good, but now I'm
> trying to secure it using TLS and I can't seem to get it working. I've
> followed both guides, searched google, and still come up with nothing.
> I've verified the CN is correct, I've copied the cert from the server to
> the test client, and I've verified that the certs are ok using openssl.
>
> running 'ldapsearch -H ldap://valid-cn -D "cn=Manager,dc=secret,dc=com"
> -W' lists everything that I've imported, but adding the -Z to the
> command exits with this:
>
> ldap_start_tls: Connect error (-11)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Turn up debugging, there should be a more specific error somewhere like
"unknown CA" or "self signed cert" (slapd doesn't like self signed certs").
>
> I'm using the same common name for the ldap:// protocol as was entered
> in the cert. Here's the relevant config sections:
>
> /etc/openldap/slapd.conf (server only)
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile /etc/ssl/ldap.pem
> TLSCertificateKeyFile /etc/openldap/ldap-key.pem
> TLS_REQCERT allow
I don't see TLSCACertificateFile pointing to your CA.
> Also, I've been looking for a decent guide to help with installation and
> maintenance for LDAP and I'm coming up dead. I've even checked the
> libraries and bookstores, and apart from a 2-8 page reference in a few
> general administrative books, I've found nothing. Can anyone recommend
> a good book/site on how to maintain/administer/install LDAP?
Not really. Remember, LDAP is just a protocol and management of
implementations differ. Personally I haven't found much 10.000 feet kind
of docs which makes thinks hard as you'll see the big picture way too
late (after lots of painful errors due to misconceptions). Once you know
Ldap+Sasl+ssl+kerberos and how all this might (not) work together it's
just reading Changelogs and manpages to keep you up to date with your
implementation.
I've spent
> over a week on this and it's still not operational and I'm starting to
> pull my hair out.
You're welcome ;)
cheers
Paul
--
gentoo-server@lists.gentoo.org mailing list
prev parent reply other threads:[~2008-04-07 18:15 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-07 17:14 [gentoo-server] ldap + tls issues Chris Frederick
2008-04-07 18:15 ` pkoelle [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47FA64B2.5060400@gmail.com \
--to=pkoelle@gmail.com \
--cc=gentoo-server@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox