[Fedora-directory-users] Re: tls_checkpeer yes problems
John A. Sullivan III
jsullivan at opensourcedevel.com
Thu Feb 5 17:09:03 UTC 2009
On Thu, 2009-02-05 at 16:12 +0100, Thorsten Scherf wrote:
> On [Thu, 29.01.2009 13:32], John A. Sullivan III wrote:
> >Hello, all. This may be a bit off-topic as it is primarily an ldap
> >client issue but I am having a bear of a time getting my test centos
> >clients to access fds. The problem is tls_checkpeer. I do want it set
> >to yes but this breaks access. It is as if the directory server's cert
> >cannot be validated against the CA cert. Here are the pertinent
> >settings from my centos client ldap.conf (as you can see, I've tried
> >many combinations):
> >
> >uri ldap://ldap.mycompany.com/
> >#host ldap.mycompany.com
> >#ssl on
> >ssl start_tls
> >#tls_cacertdir /etc/pki/tls/certs
> >tls_cacertfile /etc/pki/tls/certs/SSICA.pem
> >pam_password md5
> >tls_checkpeer yes
> >tls_ciphers TLSv1
> >
> >An strace shows that the SSICA.pem file is opened. Apparently, this is
> >a problem in Ubuntu because of a change to gnutls. However, I can
> >confirm the combination of uri ldap://, ssl start_tls, and tls_certfile
> >rather than tls_certdir work on Ubuntu. My problem is redhat style
> >systems.
> >
> >Our test bed is CentOS 5.2. Does anyone have this working on newer
> >redhat based systems? If so, with what configuration? Thanks - John
>
> gnutls has a bug in some ubunto versions. This prevents correct
> certificate validation. See here:
>
> https://bugs.launchpad.net/ubuntu/+source/gnutls12/+bug/305264
>
> How did you test access to FDS on Red Hat systems? If you use OpenLDAP
> commandline tools like ldapsearch to get access to FDS, you have to run
> cacertdir_rehash on the directory where the CA cert is stored. What is
> the output from:
>
> # openssl s_client -connect your_host_fqdn:443
>
> (make sure you have the cacert available in ca-bundle.crt)
>
> Happy Day.
> Thorsten
<snip>
Bizarre! It works now! I had been trying actual logins to test. I
flushed ncsd countless times. For hours, I could not get it to work.
Now that I've let is sit for a couple of days, I set tls_checkpeer to
yes and LDAP users can login fine.
I did use opessn s_client as you suggested. I added -verify to force CA
validation and changed the port to 636. If I did not supply -CAfile, it
worked and said the CA was self-signed (true) and if I did supply
-CAfile, it worked as well. Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
More information about the Fedora-directory-users
mailing list