So how should I handle the naming of the two server certs (for the directory server and the admin server)? Their DN's can't all be the same correct?<br><br>It sounds like I will need 3 certificates (for admin server, directory server, and CA cert) that will look like this:<br>
/C=US/ST=California/L=Burbank/O=mydomain/OU=ADS/CN=<a href="http://ldap01.mydomain.com">ldap01.mydomain.com</a><br><br>How do you normally handle the naming of your certs?<br><br><div class="gmail_quote">On Fri, Sep 28, 2012 at 10:01 AM, Grzegorz Dwornicki <span dir="ltr"><<a href="mailto:gd1100@gmail.com" target="_blank">gd1100@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p>There is definetly something wrong with your CA. Error is fatal and named unknown CA. I agree with you now: please try put FQDN in CN field. This still maybe not the issue but when you create CA cert again then maybe error will disapear. I usually use openssl to create certs instead of certutil soo i don't know if you will need to create every cert using shell script. </p>
<p>Greg.</p>
<div class="gmail_quote">28 wrz 2012 18:24, "Kyle Flavin" <<a href="mailto:kyle.flavin@gmail.com" target="_blank">kyle.flavin@gmail.com</a>> napisał(a):<div><div class="h5"><br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Here's the output from ldapsearch (I sanitized the domains). Note that for the cacert I used "ROOT CA" for the CN of the certificate. I guess the next step is to try to set this to the hostname of ldap01?<br>
<br>####################################################<br>####################################################<br>####################################################<br><br>root@ldap02 ~]# cat /etc/openldap/ldap.conf<br>
#<br># LDAP Defaults<br>#<br><br># See ldap.conf(5) for details<br># This file should be world readable but not world writable.<br><br>#BASE dc=example, dc=com<br>#URI ldap://<a href="http://ldap.example.com" target="_blank">ldap.example.com</a> ldap://<a href="http://ldap-master.example.com:666" target="_blank">ldap-master.example.com:666</a><br>
<br>#SIZELIMIT 12<br>#TIMELIMIT 15<br>#DEREF never<br>#URI ldap://<a href="http://127.0.0.1/" target="_blank">127.0.0.1/</a><br>#BASE dc=example,dc=com<br>#TLS_CACERTDIR /etc/openldap/cacerts<br>TLS_CACERTDIR /tmp/ldap/certs<br>
#TLS_REQCERT never<br><br><br><br>####################################################<br>####################################################<br>####################################################<br><br>[root@ldap02 ldap]# ldapsearch -x -h ldap01.<mydomain>.com -D "cn=Directory Manager" -W -b "dc=mydomain,dc=com" -d 1 -ZZ ""<br>
ldap_create<br>ldap_url_parse_ext(ldap://<a href="http://ldap01.mydomain.com" target="_blank">ldap01.mydomain.com</a>)<br>ldap_extended_operation_s<br>ldap_extended_operation<br>ldap_send_initial_request<br>ldap_new_connection 1 1 0<br>
ldap_int_open_connection<br>
ldap_connect_to_host: TCP <a href="http://ldap01.mydomain.com:389" target="_blank">ldap01.mydomain.com:389</a><br>ldap_new_socket: 3<br>ldap_prepare_socket: 3<br>ldap_connect_to_host: Trying <a href="http://10.163.121.194:389" target="_blank">10.163.121.194:389</a><br>
ldap_connect_timeout: fd: 3 tm: -1 async: 0<br>ldap_open_defconn: successful<br>ldap_send_server_request<br>ber_scanf fmt ({it) ber:<br>ber_scanf fmt ({) ber:<br>ber_flush: 31 bytes to sd 3<br>ldap_result ld 0x14890770 msgid 1<br>
wait4msg ld 0x14890770 msgid 1 (infinite timeout)<br>wait4msg continue ld 0x14890770 msgid 1 all 1<br>** ld 0x14890770 Connections:<br>* host: <a href="http://ldap01.mydomain.com" target="_blank">ldap01.mydomain.com</a> port: 389 (default)<br>
refcnt: 2 status: Connected<br> last used: Fri Sep 28 09:16:51 2012<br><br>** ld 0x14890770 Outstanding Requests:<br> * msgid 1, origid 1, status InProgress<br> outstanding referrals 0, parent count 0<br>** ld 0x14890770 Response Queue:<br>
Empty<br>ldap_chkResponseList ld 0x14890770 msgid 1 all 1<br>ldap_chkResponseList returns ld 0x14890770 NULL<br>ldap_int_select<br>read1msg: ld 0x14890770 msgid 1 all 1<br>ber_get_next<br>ber_get_next: tag 0x30 len 95 contents:<br>
read1msg: ld 0x14890770 msgid 1 message type extended-result<br>ber_scanf fmt ({eaa) ber:<br>read1msg: ld 0x14890770 0 new referrals<br>read1msg: mark request completed, ld 0x14890770 msgid 1<br>request done: ld 0x14890770 msgid 1<br>
res_errno: 0, res_error: <>, res_matched: <><br>ldap_free_request (origid 1, msgid 1)<br>ldap_parse_extended_result<br>ber_scanf fmt ({eaa) ber:<br>ber_scanf fmt (a) ber:<br>ldap_parse_result<br>ber_scanf fmt ({iaa) ber:<br>
ber_scanf fmt (x) ber:<br>ber_scanf fmt (}) ber:<br>ldap_msgfree<br>TLS trace: SSL_connect:before/connect initialization<br>TLS trace: SSL_connect:SSLv2/v3 write client hello A<br>TLS trace: SSL_connect:SSLv3 read server hello A<br>
TLS certificate verification: depth: 1, err: 19, subject: /C=US/ST=California/L=Burbank/O=mydomain/OU=ADS/CN=ROOT CA, issuer: /C=US/ST=California/L=Burbank/O=mydomain/OU=ADS/CN=ROOT CA<br>TLS certificate verification: Error, self signed certificate in certificate chain<br>
TLS trace: SSL3 alert write:fatal:unknown CA<br>TLS trace: SSL_connect:error in SSLv3 read server certificate B<br>TLS trace: SSL_connect:error in SSLv3 read server certificate B<br>TLS: can't connect.<br>ldap_perror<br>
ldap_start_tls: Connect error (-11)<br> additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed<br><br><br><br><div class="gmail_quote">On Fri, Sep 28, 2012 at 8:46 AM, Grzegorz Dwornicki <span dir="ltr"><<a href="mailto:gd1100@gmail.com" target="_blank">gd1100@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p>I was thinking about server cert but I usually put fqdn in every certificate I made.</p>
<p>This is intersting problem. Can you provide output of ldapsearch with debug plus contents of /etc/openldap/ldap.conf?</p>
<p>Greg.</p>
<div class="gmail_quote">28 wrz 2012 17:20, "Kyle Flavin" <<a href="mailto:kyle.flavin@gmail.com" target="_blank">kyle.flavin@gmail.com</a>> napisał(a):<div><div><br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I tried both tls_cacert and tls_cacertdir, same result. I think it's still encrypting when I set tls_reqcert to never, because ldapsearch with -d 1 indicates it's still doing the Start TLS negotiation, and dsniff doesn't seem to pick up the password when I add the "-ZZ" (it grabs the pw when I leave that off). Maybe dnsiff just doesn't "speak" Start TLS though, and I need to look at it with wireshark to make sure the password isn't in cleartext...<br>
<br>Hmm, I don't think I set the CN of the cacert to the hostname. Does it matter if I generate multiple certs for the same host using the same hostname for the CN? I'm using self signed certs. The server.cert which I generated for the directory server uses the hostname for its CN so I didn't want duplicates. I just set CN of the cacert to "ROOT CA" I think. Also, apparently I need to generate yet another cert for the admin server. I wanted to just reuse my server.cert from the directory server in both places, but 389 isn't letting me do that (it says the cert was generated by another host). This would mean I'd need yet a third certificate with a CN set to the hostname of this same server. Again, not sure if this is a problem...<br>
<br><br><br><div class="gmail_quote">On Thu, Sep 27, 2012 at 11:56 PM, Grzegorz Dwornicki <span dir="ltr"><<a href="mailto:gd1100@gmail.com" target="_blank">gd1100@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p>maybe tls_reqcert never forces non ssl or it forces no ssl checks. As You know for example hostname must be present and valid DNS domain in CN field of certficace or session will fail.</p>
<p>Have you tried using tls_cacert insted of cacertdir? I am writing this without manuals soo I am not sure: tls_cacert or tls_cacertfile</p>
<p>I have learned when you have just one ca, then tls_cacertdir sometimes did not work as I thought it would. It did not work at all for me.</p>
<p>Greg.</p>
<div class="gmail_quote">28 wrz 2012 07:28, "Kyle Flavin" <<a href="mailto:kyle.flavin@gmail.com" target="_blank">kyle.flavin@gmail.com</a>> napisał(a):<div><div><br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Yeah -- So what I did is drop cacert.asc under /tmp/ldap/certs for testing purposes. I then added a line "TLS_CACERTDIR /tmp/ldap/certs" to /etc/openldap/ldap.conf. The logs on the directory server (and from adding a -d 1 option to ldapsearch) indicated that the client was rejecting the certificate. So I used certutil with cacert.asc to create the cert8.db and key3.db files under /tmp/ldap/certs (I now have cacert.asc, cert8.db, key3.db, and secmod.db under that directory). Same result. Then I went back to /etc/openldap/ldap.conf and set "TLS_REQCERT never", and commented out the cacertdir directive. With that configuration, ldapsearch works with the -ZZ options. So for some reason, it isn't liking my CA cert, and I'm not sure why. <br>
<br><br><div class="gmail_quote">On Thu, Sep 27, 2012 at 9:46 PM, Grzegorz Dwornicki <span dir="ltr"><<a href="mailto:gd1100@gmail.com" target="_blank">gd1100@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p>Did you install ca.cert on system and setup /etc/openldap/ldap.conf ?</p>
<p>Greg.</p>
<div class="gmail_quote">28 wrz 2012 05:11, "Kyle Flavin" <<a href="mailto:kyle.flavin@gmail.com" target="_blank">kyle.flavin@gmail.com</a>> napisał(a):<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div>
Hi, I've been struggling to setup 389 Directory server with Start TLS.<br><br>I have a multi-master replication working with four server. From an external client running openldap's ldapsearch, I'm trying to do the following:<br>
<br>ldapsearch -ZZ -x -h "myserver" -b "dc=example,dc=com" -D "cn=Directory Manager" -W ""<br><br>I get an unsupported protocol error on servers that do not have certificates installed.<br>
<br>In an attempt to resolve this, I tried to install a self-signed cert. I created a ca.cert and a server.crt, and imported them into the Directory Server. I then imported the ca.cert to the admin server. When I attempted to import the same server.crt to the admin server, I got an error message stating the certificate was for another host. Since the admin server and directory server reside on the same host, if I generate a new request, it will have an identical host name (I'm not sure if that's relevant to my issue). After all of that, I now receive a "Connect Error SSL3_GET_SERVER_CERTIFICATE:certificate verify failed". I'm guessing I need to import the root cert onto the client somehow, but I'm not sure how to go about doing that.<br>
<br>This has become pretty time consuming, so I was hoping that someone more knowledgeable could confirm that I'm at least travelling down the right path. I've been following this Red Hat document:<br><br><a href="https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_SSL.html#Starting_the_Server_with_SSL_Enabled-Enabling_SSL_in_the_DS_Admin_Server_and_Console" target="_blank">https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_SSL.html#Starting_the_Server_with_SSL_Enabled-Enabling_SSL_in_the_DS_Admin_Server_and_Console</a><br>
<br>Thanks,<br>Kyle<br><br>
<br></div></div><span><font color="#888888">--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></font></span></blockquote></div>
<br>--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></blockquote></div><br>
<br>--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></blockquote></div></div></div>
<br>--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></blockquote></div><br>
<br>--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></blockquote></div></div></div>
<br>--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></blockquote></div><br>
<br>--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></blockquote></div></div></div>
<br>--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></blockquote></div><br>