[Fedora-directory-users] TLS for dummies

Craig White craigwhite at azapple.com
Fri Dec 9 20:13:27 UTC 2005 

On Fri, 2005-12-09 at 12:31 -0700, Richard Megginson wrote:
> Craig White wrote:
> 
> >Just basic stuff...I promise I have been through the wiki and the
> >Administrator's guide (managing SSL and SASL) several times.
> >
> >Using openssl generated CA certificate and used that to sign CSR's from
> >console application and loaded them all into console application. Have
> >restarted FDS and it seems to be happy - but just to confirm...
> >
> >lifted from /opt/fedora-ds/slapd-srv1/logs/errors
> >[09/Dec/2005:08:33:47 -0700] - Fedora-Directory/1.0.1 B2005.342.165
> >starting up
> >[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in
> >backend userRoot, attempting to create one...
> >[09/Dec/2005:08:33:47 -0700] - Key for cipher AES successfully generated
> >and stored
> >[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher 3DES in
> >backend userRoot, attempting to create one...
> >[09/Dec/2005:08:33:47 -0700] - Key for cipher 3DES successfully
> >generated and stored
> >[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in
> >backend NetscapeRoot, attempting to create one...
> >[09/Dec/2005:08:33:48 -0700] - Key for cipher AES successfully generated
> >and stored
> >[09/Dec/2005:08:33:48 -0700] - No symmetric key found for cipher 3DES in
> >backend NetscapeRoot, attempting to create one...
> >[09/Dec/2005:08:33:48 -0700] - Key for cipher 3DES successfully
> >generated and stored
> >[09/Dec/2005:08:33:48 -0700] - slapd started.  Listening on All
> >Interfaces port 389 for LDAP requests
> >[09/Dec/2005:08:33:48 -0700] - Listening on All Interfaces port 636 for
> >LDAPS requests
> >
> >MY PROBLEM
> ># ldapsearch -ZZ '(uid=jim)'
> >ldap_start_tls: Connect error (-11)
> >        additional info: Start TLS request accepted.Server willing to
> >negotiate SSL.
> >  
> >
> Looks like openldap and FDS are not responding to the startTLS operation 
> the same way.   Try
> ldapsearch -v ...
> or
> ldapsearch -d 1 ...
> 
----
OK - instructions don't entirely cover the issue when you use openldap
client version of ldapsearch

ldapsearch -x -ZZ '(uid=jim)' # no problem

the -x was still required for ssl (ldaps://server:636 and
ldap://server:389) when not using SASL

thanks

and thanks David - it helped clarify things

Craig

More information about the Fedora-directory-users mailing list