[Fedora-directory-users] ssl certificate problem
Richard Megginson
rmeggins at redhat.com
Tue Apr 17 14:31:53 UTC 2007
Paolo Ercolani wrote:
> Paolo Ercolani wrote:
>
> Hi. I'm new to this list and it's a week i'm really fighting with
> directory server. I followed some howtos, i downloaded a lot of
> documents but i can't get out of trouble. I need to make login from
> my linux boxes on ldap directory server. If i try to use my test
> user in clear mode i can do that. The problem is when i try to
> configure a self-signed certificate. I'll not describe all the tests
> i've done, i'll tell you just the last!! I created my cacert.pem on
> the ldapserver and i installed from the console. It goes and it's
> ok. Then i used openssl to generate a private key and a certificate
> request then i signed it. That's what i did:
>
> openssl genrsa -out privkey.pem 2048
> openssl req -new -key privkey.pem -out PEM.csr
> openssl ca -cert cacert.pem -in PEM.csr -out cert.pem
>
>
> I copied cacert.pem, privkey.pem and cert.pem on the client and i
> configured ldap.conf on it:
Is this /etc/openldap/ldap.conf? In order to get pam/nss working (I
assume by "login" you mean login to the operating system) you need to
configure pam/nss ldap to do TLS, which is the file /etc/ldap.conf,
which takes the below parameters in slightly different format.
I don't know if you need TLS_CERT and TLS_KEY - are you attempting to do
client cert auth - EXTERNAL bind?
>
> URI ldaps://<ldapserver>:636
> BASE ou=UTENTI,o=postel,c=com
> host kingu.postel.com
> TLS_REQCERT allow
> TLS_CHECKPEER yes
> TLS_CACERTDIR /etc/ssl
> TLS_CACERT /etc/ssl/cacert.pem
> TLS_CERT /etc/ssl/cert.pem
> TLS_KEY /etc/ssl/privkey.pem
>
>
> I activated ssl on my ldap server and i installed my cacert.pem on
> it. i didn't anything else. I tried also to generate a certificate
> request from directory server and to sign it with my cacert.pem.
> Then i imported it like my server-cert. It imported it but login
> still didn't go.
> >I'm unclear on this last step. What do you mean by login still didn't
> go? Because the access log excerpt below >would seem to indicate that
> the os did search for and find the login name.
>
> Yes. Reading logs it seems login goes ok. But my client can't really
> login and i don't know what i can check. Client asks me again for
> password, but i'm sure it's the right one. Have you any ideas for
> checking something???
>
> Thanks in advance.
> Paolo.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070417/e9ba9130/attachment.bin>
More information about the Fedora-directory-users
mailing list