Thanks, Joshua. This is very helpful.<br><br>-Jake<br><br><br><br><div><span class="gmail_quote">On 7/16/07, <b class="gmail_sendername">Joshua M. Miller</b> <<a href="mailto:joshua@itsecureadmin.com">joshua@itsecureadmin.com
</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi David,<br><br>If you are using a self-signed certificate (ie, the CN on the CA cert is
<br>the same domain as the CN on the LDAP cert) then OpenLDAP will reject<br>the certificate by default.<br><br>You can see from the message that it found the certificate by the<br>message "certificate verify failed" in the error message.
<br><br>If you want to keep using this certificate, you can add the following<br>line to your /etc/openldap/ldap.conf:<br><br>TLS_REQCERT never<br><br>This will allow ldapsearch to function while ignoring this error.<br><br>
Please note the consequences of this action in the man page for ldap.conf.<br><br>Good luck,<br>--<br>Joshua M. Miller - RHCE,VCP<br><br><br>J Davis wrote:<br>> Hello,<br>><br>> I have FDS 1.0.4 running using an SSL certificate generated by an
<br>> Microsoft windows 2003 CA server.<br>> I choose this method as opposed to the setupssl.sh script from the wiki<br>> because I have read in the list archives that it is the best way to<br>> avoid trust issues when setting up PassSync over SSL between FDS and AD.
<br>> I'm having a hard time finding references for configuring this properly<br>> and I know very little about SSL certificates so I'm making some guesses<br>> and likely missing a crucial step or two.<br>
> The problem is that when trying to bind to the FDS using SSL I get<br>> certificate verification errors.<br>><br>> > # ldapsearch -x -H ldaps://localhost/<br>> > ldap_bind: Can't contact LDAP server (-1)
<br>> > additional info: error:14090086:SSL<br>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed<br>><br>> Here's how I set up the certificates...<br>> 1. Generated a CSR using the FDS console wizard and submitted it to the
<br>> MS CA.<br>> 2. Imported the CA certificate (called "it") and the signed<br>> "server-cert" resulting from step 1 from the MS CA using the FDS admin<br>> console.<br>> 3. Enabled SSL (port 636) in the directory server using server-cert from
<br>> step 1.<br>><br>> I used certutil to display the list of certificates in the FDS cert db.<br>> > [alias]# ../shared/bin/certutil -L -d . -P slapd-<instance>-<br>> > server-cert u,u,u<br>
> > it CT,,<br>><br>> Then verified that "server-cert" was considered valid.<br>> > [alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -P<br>> slapd-<instance>-
<br>> > Enter Password or Pin for "NSS Certificate DB":<br>> > certutil-bin: certificate is valid<br>><br>> I also verified that that I can connect using openssl client.<br>> > # openssl s_client -connect localhost:636 -showcerts -CAfile
<br>> /path/to/it_ca.crt<br>> --snip--<br>> > Verify return code: 0 (ok)<br>> > ---<br>><br>> Any hints as to what I might be doing wrong are greatly appreciated.<br>><br>> Thanks,<br>
> -Jake<br>><br>><br>><br>><br>><br>><br>> ------------------------------------------------------------------------<br>><br>> --<br>> Fedora-directory-users mailing list<br>> <a href="mailto:Fedora-directory-users@redhat.com">
Fedora-directory-users@redhat.com</a><br>> <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br><br>--<br>Fedora-directory-users mailing list
<br><a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br><a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users
</a><br></blockquote></div><br>