From: Chris Frederick <cdf123@cdf123.net>
To: gentoo-user@lists.gentoo.org, gentoo-server@lists.gentoo.org
Subject: [gentoo-server] ldap + tls issues
Date: Mon, 07 Apr 2008 12:14:45 -0500 [thread overview]
Message-ID: <47FA5685.5080406@cdf123.net> (raw)
Hi all,
I'm working on migrating a network to allow for more users and easier
scaling. I'm also splitting up the main server into separate tasks. As
long as I'm doing all this I thought it would be prudent to add an LDAP
server for authentication/email/etc... I'm running gentoo-hardened on
the ldap server and I have been following the gentoo ldap guides here:
http://www.gentoo.org/doc/en/ldap-howto.xml
http://gentoo-wiki.com/HOWTO_LDAPv3
This got me a decent setup, and everything works good, but now I'm
trying to secure it using TLS and I can't seem to get it working. I've
followed both guides, searched google, and still come up with nothing.
I've verified the CN is correct, I've copied the cert from the server to
the test client, and I've verified that the certs are ok using openssl.
running 'ldapsearch -H ldap://valid-cn -D "cn=Manager,dc=secret,dc=com"
-W' lists everything that I've imported, but adding the -Z to the
command exits with this:
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I'm using the same common name for the ldap:// protocol as was entered
in the cert. Here's the relevant config sections:
/etc/openldap/slapd.conf (server only)
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ldap-key.pem
TLS_REQCERT allow
/etc/openldap/ldap.conf (client and server)
TLS_CERT /etc/ssl/ldap.pem
TLS_KEY /etc/openldap/ldap-key.pem
TLS_REQUEST never
Is there anything else I should check with the certs?
Also, I've been looking for a decent guide to help with installation and
maintenance for LDAP and I'm coming up dead. I've even checked the
libraries and bookstores, and apart from a 2-8 page reference in a few
general administrative books, I've found nothing. Can anyone recommend
a good book/site on how to maintain/administer/install LDAP? I've spent
over a week on this and it's still not operational and I'm starting to
pull my hair out.
Thanks in advance for any help,
Chris
--
gentoo-server@lists.gentoo.org mailing list
next reply other threads:[~2008-04-07 17:15 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-07 17:14 Chris Frederick [this message]
2008-04-07 18:15 ` [gentoo-server] ldap + tls issues pkoelle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47FA5685.5080406@cdf123.net \
--to=cdf123@cdf123.net \
--cc=gentoo-server@lists.gentoo.org \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox