[389-users] TinyCA2 & 389-DS

Stephen Spencer gladiatr72 at gmail.com
Mon Mar 15 15:35:03 UTC 2010 

Hello, Jeff.

I am working with the current release of RHDS towards bringing an LDAP
infrastructure online at my place of business.  The secure communications
bit is one of the first aspects of the system that I've gotten set up.  At
this time I am working with the systems that will be authenticating to the
directory, so I have not yet gotten to the business of replication; however,
I thought I'd post my thoughts on what it seems you might be dealing with.

I am using the easy-rsa set of scripts that is shipped with OpenVPN;
however, I do not think the software you're using to generate the
certificates is the source of the problem.

The first thing that I have found is that the netscape security services
library is very sensitive to what kind of certificate it is actually dealing
with.  I discovered this when attempting to use the server certificate I
generated to test TLS connectivity with ldapsearch from the directory
server's command line.  It complains quite loudly that it cannot trust the
certificate that it uses to identify the server as a client certificate.

conn=48 Netscape Portable Runtime error -8101 (Certificate type not approved
for application.)

I determined that the "certificate type" was in reference to the X509v3
Extended Key Usage specification.  For server certificates it is "TLS Web
Server Authentication" vs "TLS Web Client Authentication" for client
identification.

For local TLS testing purposes, I issued a client certificate
"cn=test.client", created a test.client user under the appropriate branch in
the tree and voila.

Without further information, I would assume that the problem is that you
haven't provided your client with an appropriate client key.  Installing
your local Root CA is necessary and is a good start; however, whatever
client program you are using will need some way to complete the handshake
with the server.

If this doesn't get you on your way, run a tail -f
/var/log/dirsrv/slapd-[instance]/access while your client system is trying
to connect to the server and put it in a response to this thread.

Stephen Spencer
Lawrence, KS

-- 
You know, I used to think it was awful that life was so unfair. Then I
thought, wouldn't it be much worse if life were fair, and all the terrible
things that happen to us come because we actually deserve them? So, now I
take great comfort in the general hostility and unfairness of the universe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20100315/1c486731/attachment.html>

More information about the 389-users mailing list