[Fedora-directory-users] ssl certificate problem
Paolo Ercolani
paolo.ercolani at postel.it
Tue Apr 10 13:09:31 UTC 2007
Hi. I'm new to this list and it's a week i'm really fighting with
directory server. I followed some howtos, i downloaded a lot of
documents but i can't get out of trouble.
I need to make login from my linux boxes on ldap directory server. If i
try to use my test user in clear mode i can do that. The problem is when
i try to configure a self-signed certificate. I'll not describe all the
tests i've done, i'll tell you just the last!!
I created my cacert.pem on the ldapserver and i installed from the
console. It goes and it's ok. Then i used openssl to generate a private
key and a certificate request then i signed it. That's what i did:
openssl genrsa -out privkey.pem 2048
openssl req -new -key privkey.pem -out PEM.csr
openssl ca -cert cacert.pem -in PEM.csr -out cert.pem
I copied cacert.pem, privkey.pem and cert.pem on the client and i
configured ldap.conf on it:
URI ldaps://<ldapserver>:636
BASE ou=UTENTI,o=postel,c=com
host kingu.postel.com
TLS_REQCERT allow
TLS_CHECKPEER yes
TLS_CACERTDIR /etc/ssl
TLS_CACERT /etc/ssl/cacert.pem
TLS_CERT /etc/ssl/cert.pem
TLS_KEY /etc/ssl/privkey.pem
I activated ssl on my ldap server and i installed my cacert.pem on it. i
didn't anything else.
I tried also to generate a certificate request from directory server and
to sign it with my cacert.pem. Then i imported it like my server-cert.
It imported it but login still didn't go.
I followed the manuals i found on directory.fedora.org (managing SSL and
SASL), but i saw a lot of documents too.
I think logs say nothing bad. That's my access log:
/
/
/[10/Apr/2007:14:59:54 +0200] conn=15 fd=65 slot=65 SSL connection
from <ldap client> to <ldap server>/
/[10/Apr/2007:14:59:54 +0200] conn=15 SSL 256-bit AES/
/[10/Apr/2007:14:59:54 +0200] conn=15 op=0 BIND dn="" method=128
version=3/
/[10/Apr/2007:14:59:54 +0200] conn=15 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn=""/
/[10/Apr/2007:14:59:54 +0200] conn=15 op=1 SRCH
base="ou=UTENTI,o=postel,c=com" scope=2
filter="(&(objectClass=posixAccount)(uid=utente))" attrs="uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass"/
/[10/Apr/2007:14:59:54 +0200] conn=15 op=1 RESULT err=0 tag=101
nentries=1 etime=0/
/[10/Apr/2007:14:59:56 +0200] conn=15 op=2 SRCH
base="ou=UTENTI,o=postel,c=com" scope=2
filter="(&(objectClass=posixAccount)(uid=utente))" attrs="uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass"/
/[10/Apr/2007:14:59:56 +0200] conn=15 op=2 RESULT err=0 tag=101
nentries=1 etime=0/
/[10/Apr/2007:14:59:56 +0200] conn=15 op=3 SRCH
base="ou=UTENTI,o=postel,c=com" scope=2
filter="(&(objectClass=shadowAccount)(uid=utente))" attrs="uid
userPassword shadowLastChange shadowMax shadowMin shadowWarning
shadowInactive shadowExpire shadowFlag"/
/[10/Apr/2007:14:59:56 +0200] conn=15 op=3 RESULT err=0 tag=101
nentries=1 etime=0/
/[10/Apr/2007:14:59:56 +0200] conn=15 op=4 SRCH
base="ou=UTENTI,o=postel,c=com" scope=2
filter="(&(objectClass=posixAccount)(uid=utente))" attrs="uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass"/
/[10/Apr/2007:14:59:56 +0200] conn=15 op=4 RESULT err=0 tag=101
nentries=1 etime=0/
/[10/Apr/2007:14:59:56 +0200] conn=16 fd=66 slot=66 SSL connection
from <ldap client> to <ldap server>/
To me it seems it says nothing bad. I can't get out of it and i don't
understand what is wrong. The directory server version is 1.0.4. I
installed it from RPM on redhat enterprise 4.
If i try to log on URI ldap://<ldapserver> (not ssl !!) it goes and i
can authenticate using ldap!!!
Anyone can help me, please???
Thanks everyone.
Paolo.
--
Paolo Ercolani
Postel
Gestione Servizi e Accessi Telematici
Erogazione Servizi e Gestione Infrastrutture Mass Communication
Viale Guglielmo Massaia 31 – 00154 Roma
Tel 06 51426 549 Fax 06 51426 553
e-mail: paolo.ercolani at postel.com
More information about the Fedora-directory-users
mailing list