From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Jiuvh-0006Nx-KR for garchives@archives.gentoo.org; Mon, 07 Apr 2008 17:14:49 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8DF4EE0654; Mon, 7 Apr 2008 17:14:46 +0000 (UTC) Received: from rtlinux.rtvision.com (unknown [76.164.12.11]) by pigeon.gentoo.org (Postfix) with ESMTP id 58848E0652; Mon, 7 Apr 2008 17:14:46 +0000 (UTC) Received: from [192.168.1.5] (rtchris [192.168.1.5]) by rtlinux.rtvision.com (Postfix) with ESMTP id 99BDD23FA4; Mon, 7 Apr 2008 12:14:45 -0500 (CDT) Message-ID: <47FA5685.5080406@cdf123.net> Date: Mon, 07 Apr 2008 12:14:45 -0500 From: Chris Frederick User-Agent: Thunderbird 2.0.0.12 (X11/20080303) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org, gentoo-server@lists.gentoo.org Subject: [gentoo-user] ldap + tls issues Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 38e7cfbc-e604-4101-8601-2520d9b12d29 X-Archives-Hash: 0b26d2ec3e3e8be078aa3808f3245a0b Hi all, I'm working on migrating a network to allow for more users and easier scaling. I'm also splitting up the main server into separate tasks. As long as I'm doing all this I thought it would be prudent to add an LDAP server for authentication/email/etc... I'm running gentoo-hardened on the ldap server and I have been following the gentoo ldap guides here: http://www.gentoo.org/doc/en/ldap-howto.xml http://gentoo-wiki.com/HOWTO_LDAPv3 This got me a decent setup, and everything works good, but now I'm trying to secure it using TLS and I can't seem to get it working. I've followed both guides, searched google, and still come up with nothing. I've verified the CN is correct, I've copied the cert from the server to the test client, and I've verified that the certs are ok using openssl. running 'ldapsearch -H ldap://valid-cn -D "cn=Manager,dc=secret,dc=com" -W' lists everything that I've imported, but adding the -Z to the command exits with this: ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I'm using the same common name for the ldap:// protocol as was entered in the cert. Here's the relevant config sections: /etc/openldap/slapd.conf (server only) TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/ssl/ldap.pem TLSCertificateKeyFile /etc/openldap/ldap-key.pem TLS_REQCERT allow /etc/openldap/ldap.conf (client and server) TLS_CERT /etc/ssl/ldap.pem TLS_KEY /etc/openldap/ldap-key.pem TLS_REQUEST never Is there anything else I should check with the certs? Also, I've been looking for a decent guide to help with installation and maintenance for LDAP and I'm coming up dead. I've even checked the libraries and bookstores, and apart from a 2-8 page reference in a few general administrative books, I've found nothing. Can anyone recommend a good book/site on how to maintain/administer/install LDAP? I've spent over a week on this and it's still not operational and I'm starting to pull my hair out. Thanks in advance for any help, Chris -- gentoo-user@lists.gentoo.org mailing list