[Fedora-directory-users] SOLVED: NSPR "Certificate type not approved for application" error when a TLS-enabled proxy LDAP OpenLDAP server connects to Fedora Directory Server

Rich Megginson rmeggins at redhat.com
Mon Apr 14 17:15:13 UTC 2008 

Aleksander Adamowski wrote:
> Rich Megginson wrote:
>> Do you need to use cert based auth?  If not, just configure the 
>> application to not use cert. based auth - just use username/password 
>> auth over SSL (or TLS).  If you must use cert. based auth, you may be 
>> able to use the certutil command to change the trust flags of the 
>> cert - see certutil -H.  See also this page for information about 
>> cert. based auth - 
>> http://directory.fedoraproject.org/wiki/Howto:CertMapping
> Hmm, this has given me an idea for a solution. After switching 
> Encryption -> Client Authentication settings of dirsrv from "Allow 
> client authentication" to "Do not allow client authentication" I got 
> this working.
>
> It seems that whenever certificate authentication is an allowed 
> possibility on the FDS server side, OpenLDAP client tries using it 
> even if it is operating inside an OpenLDAP server environment (in 
> which case it supplies its server certificate as client's - thus the 
> problem).
>
> This case is special since OpenLDAP server acts as an LDAP client to 
> FDS server.
> I think the problem is on OpenLDAP side (it shouldn't use its server 
> certificate for client authentication when acting as an LDAP client).
That should be fine.  Fedora DS can do the same thing e.g. with 
server-to-server chaining and replication, using the server cert for 
client cert auth.  It just depends on the type of cert issued and/or the 
trust flags on the cert.
>
>>> Like, say some tweaks in nss.conf?
>> NSS (Netscape^H^H^H^H^Hwork Security Services) for crypto and nss 
>> (name switch service - as in nss_ldap) are completely different and 
>> unfortunately share the same name.
> Read carefully: I wasn't talking about nsswitch.conf (which is for 
> Name Service Switch), but nss.conf (which is a config file for mod_nss 
> which is based on Network Secirity Services library).
>
> The FDS admin server (dirsrv-admin) is based on Apache and it uses 
> mod_nss for handling SSL connections.
> So inside /etc/dirsrv/admin-serv/nss.conf you can tweak SSL-related 
> behaviour of dirsrv-admin.
Ok.  I thought we were talking about the directory server only.
>
> I thought that there might be a similar method to tweak behaviour of 
> dirsrv (although not through nss.conf since dirsrv doesn't use mod_nss 
> and doesn't contain a http server in any part ), like some 
> undocumented setting in dse.ldif. However, more correct fix turned out 
> to be disallow certificate-based client authentication.
See the RHDS 8.0 Admin Guide, Chapter 12 - 
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/ and 
http://tinyurl.com/688w9y

See also the detailed information for all of the security/encryption 
configuration entries and attributes - http://tinyurl.com/35qddb - there 
is also an apparently undocumented entry cn=RSA, cn=encryption, cn=config.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080414/c5b2329a/attachment.bin>

More information about the Fedora-directory-users mailing list