Authenticate Linux on Openldap
Edson Marquezani Filho
edsonmarquezani at gmail.com
Thu Jun 4 15:57:14 UTC 2009
On Thu, Jun 4, 2009 at 12:21, Virgilio Antonio Araujo
<vi.rlz4ever at gmail.com> wrote:
> Hi list, I was configuring a openldapserver for proporse the linux and unix
> clientes authenticate on server. The authentication at server work perfect
> without tls. With tls the connection still waiting and dosent work.
> On the server I'm using the following sintax at slapd.conf.
> ...
> TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
> TLSCACertificateFile /etc/openldap/cacerts/server.pem
> TLSCertificateFile /etc/openldap/cacerts/server.pem
> TLSCertificateKeyFile /etc/openldap/cacerts/server.pem
> TLSVerifyClient allow
> ...
>
> After I copy the client pem to server and modify the /etc/ldap.conf as
> above:
> ...
> uri ldaps://spas031elc/
> #ssl start_tls
> tls_cacertdir /etc/openldap/cacerts
> pam_password md5
> ...
>
> And /etc/openldap/ldap.conf
> ...
> URI ldaps://spas031elc/
> BASE dc=elucid,dc=int
> TLS_CACERTDIR /etc/openldap/cacerts
> ...
>
> I follow the documentation at:
> http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS
>
> Someone had the problem ?
> Thanks for help...
>
It has to do with how you generated your key, in many cases. Remember
that the key's Common Name (CN) has to be the same address you use to
configure it at clients. In that case, for example, it would be
"spas031elc". LDAP clients refuse the connections when TLS
certificate's Common Name doesn't match hostname used to connect.
Got it? =)
More information about the redhat-list
mailing list