[Fedora-directory-users] SOLVED: NSPR "Certificate type not approved for application" error when a TLS-enabled proxy LDAP OpenLDAP server connects to Fedora Directory Server
Rich Megginson
rmeggins at redhat.com
Mon Apr 14 17:15:13 UTC 2008
Aleksander Adamowski wrote:
> Rich Megginson wrote:
>> Do you need to use cert based auth? If not, just configure the
>> application to not use cert. based auth - just use username/password
>> auth over SSL (or TLS). If you must use cert. based auth, you may be
>> able to use the certutil command to change the trust flags of the
>> cert - see certutil -H. See also this page for information about
>> cert. based auth -
>> http://directory.fedoraproject.org/wiki/Howto:CertMapping
> Hmm, this has given me an idea for a solution. After switching
> Encryption -> Client Authentication settings of dirsrv from "Allow
> client authentication" to "Do not allow client authentication" I got
> this working.
>
> It seems that whenever certificate authentication is an allowed
> possibility on the FDS server side, OpenLDAP client tries using it
> even if it is operating inside an OpenLDAP server environment (in
> which case it supplies its server certificate as client's - thus the
> problem).
>
> This case is special since OpenLDAP server acts as an LDAP client to
> FDS server.
> I think the problem is on OpenLDAP side (it shouldn't use its server
> certificate for client authentication when acting as an LDAP client).
That should be fine. Fedora DS can do the same thing e.g. with
server-to-server chaining and replication, using the server cert for
client cert auth. It just depends on the type of cert issued and/or the
trust flags on the cert.
>
>>> Like, say some tweaks in nss.conf?
>> NSS (Netscape^H^H^H^H^Hwork Security Services) for crypto and nss
>> (name switch service - as in nss_ldap) are completely different and
>> unfortunately share the same name.
> Read carefully: I wasn't talking about nsswitch.conf (which is for
> Name Service Switch), but nss.conf (which is a config file for mod_nss
> which is based on Network Secirity Services library).
>
> The FDS admin server (dirsrv-admin) is based on Apache and it uses
> mod_nss for handling SSL connections.
> So inside /etc/dirsrv/admin-serv/nss.conf you can tweak SSL-related
> behaviour of dirsrv-admin.
Ok. I thought we were talking about the directory server only.
>
> I thought that there might be a similar method to tweak behaviour of
> dirsrv (although not through nss.conf since dirsrv doesn't use mod_nss
> and doesn't contain a http server in any part ), like some
> undocumented setting in dse.ldif. However, more correct fix turned out
> to be disallow certificate-based client authentication.
See the RHDS 8.0 Admin Guide, Chapter 12 -
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/ and
http://tinyurl.com/688w9y
See also the detailed information for all of the security/encryption
configuration entries and attributes - http://tinyurl.com/35qddb - there
is also an apparently undocumented entry cn=RSA, cn=encryption, cn=config.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080414/c5b2329a/attachment.bin>
More information about the Fedora-directory-users
mailing list