[Fedora-directory-users] TLS for dummies
Craig White
craigwhite at azapple.com
Fri Dec 9 20:13:27 UTC 2005
On Fri, 2005-12-09 at 12:31 -0700, Richard Megginson wrote:
> Craig White wrote:
>
> >Just basic stuff...I promise I have been through the wiki and the
> >Administrator's guide (managing SSL and SASL) several times.
> >
> >Using openssl generated CA certificate and used that to sign CSR's from
> >console application and loaded them all into console application. Have
> >restarted FDS and it seems to be happy - but just to confirm...
> >
> >lifted from /opt/fedora-ds/slapd-srv1/logs/errors
> >[09/Dec/2005:08:33:47 -0700] - Fedora-Directory/1.0.1 B2005.342.165
> >starting up
> >[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in
> >backend userRoot, attempting to create one...
> >[09/Dec/2005:08:33:47 -0700] - Key for cipher AES successfully generated
> >and stored
> >[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher 3DES in
> >backend userRoot, attempting to create one...
> >[09/Dec/2005:08:33:47 -0700] - Key for cipher 3DES successfully
> >generated and stored
> >[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in
> >backend NetscapeRoot, attempting to create one...
> >[09/Dec/2005:08:33:48 -0700] - Key for cipher AES successfully generated
> >and stored
> >[09/Dec/2005:08:33:48 -0700] - No symmetric key found for cipher 3DES in
> >backend NetscapeRoot, attempting to create one...
> >[09/Dec/2005:08:33:48 -0700] - Key for cipher 3DES successfully
> >generated and stored
> >[09/Dec/2005:08:33:48 -0700] - slapd started. Listening on All
> >Interfaces port 389 for LDAP requests
> >[09/Dec/2005:08:33:48 -0700] - Listening on All Interfaces port 636 for
> >LDAPS requests
> >
> >MY PROBLEM
> ># ldapsearch -ZZ '(uid=jim)'
> >ldap_start_tls: Connect error (-11)
> > additional info: Start TLS request accepted.Server willing to
> >negotiate SSL.
> >
> >
> Looks like openldap and FDS are not responding to the startTLS operation
> the same way. Try
> ldapsearch -v ...
> or
> ldapsearch -d 1 ...
>
----
OK - instructions don't entirely cover the issue when you use openldap
client version of ldapsearch
ldapsearch -x -ZZ '(uid=jim)' # no problem
the -x was still required for ssl (ldaps://server:636 and
ldap://server:389) when not using SASL
thanks
and thanks David - it helped clarify things
Craig
More information about the Fedora-directory-users
mailing list