[Fedora-directory-users] Re: TLS for dummies

Howard Chu hyc at symas.com
Sat Dec 10 06:42:29 UTC 2005 

fedora-directory-users-request at redhat.com wrote:
> Date: Fri, 09 Dec 2005 12:05:18 -0700
> From: Craig White <craigwhite at azapple.com>
>
> Just basic stuff...I promise I have been through the wiki and the
> Administrator's guide (managing SSL and SASL) several times.
>
> Using openssl generated CA certificate and used that to sign CSR's from
> console application and loaded them all into console application. Have
> restarted FDS and it seems to be happy - but just to confirm...
>
>
>
> MY PROBLEM
> # ldapsearch -ZZ '(uid=jim)'
> ldap_start_tls: Connect error (-11)
>         additional info: Start TLS request accepted.Server willing to
> negotiate SSL.
>
> # tail -n4 /opt/fedora-ds/slapd-srv1/logs/access
> [09/Dec/2005:11:55:26 -0700] conn=83 op=5 fd=68 closed - U1
> [09/Dec/2005:12:00:58 -0700] conn=84 fd=68 slot=68 connection from
> 127.0.0.1 to 127.0.0.1
> [09/Dec/2005:12:00:58 -0700] conn=84 op=0 EXT
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [09/Dec/2005:12:00:58 -0700] conn=84 op=0 RESULT err=0 tag=120
> nentries=0 etime=0
> [09/Dec/2005:12:00:58 -0700] conn=84 op=-1 fd=68 closed - Encountered
> end of file.
>
> # tail -n 7 /etc/openldap/ldap.conf
> URI     ldap://srv1.clsurvey.com
> HOST    srv1.clsurvey.com
> BASE dc=clsurvey,dc=com
> TLS_CACERTDIR /etc/ssl
> TLS_CACERT server.crt
> pam_password md5
> TLS_REQCERT allow
>
> My thinking is that this somehow has something to do with the TLS_CACERT
> in /etc/openldap/ldap.conf (the certificate for the client).
>   

Please re-read http://www.openldap.org/doc/admin23/tls.html; it's quite 
clear about how to configure the CA cert.
Note that "pam_password" is not an OpenLDAP config keyword.
> Would this be the issue?
>
> Is there a better method for creating the client certificate from either
> the CA certificate (generated by openssl) or from the FDS Server
> Certificate (also generated by openssl)?
>   

Only CA certs may be used to generate other certs. The server cert is 
just that, nothing more.

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

More information about the Fedora-directory-users mailing list