11:32 a.m.
I've managed to get past the the strangely obscure method of installing an SSL
certificate, and from the server side everything appears to be OK. Actually its a
"CACert" certificate, rather then self signed. Using Jxplorer, I can connect
the the DS using SSL, accept the certificate, and I'm all set.
However, I am having a ton of trouble figuring out how to use an untrusted ca for my linux
user authentication. I changed /etc/ldap.conf to use ldaps://, and it attemtps to connect
as expected. I think this would work, if I could figure out how to tell it to accept the
certificate. I get the following error message in DS after running getent passwd.
[24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not recognize and trust
the CA that issued your certificate.
[24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not recognize and trust
the CA that issued your certificate.
Any thoughts?
11:52 a.m.
On Wed, 2009-06-24 at 09:32 -0700, Dumbo Q wrote:
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan(a)opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
I've managed to get past the the strangely obscure method of
installing an SSL certificate, and from the server side everything
appears to be OK. Actually its a "CACert" certificate, rather then
self signed. Using Jxplorer, I can connect the the DS using SSL,
accept the certificate, and I'm all set.
However, I am having a ton of trouble figuring out how to use an
untrusted ca for my linux user authentication. I
changed /etc/ldap.conf to use ldaps://, and it attemtps to connect as
expected. I think this would work, if I could figure out how to tell
it to accept the certificate. I get the following error message in
DS after running getent passwd.
[24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not
recognize and trust the CA that issued your certificate.
[24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not
recognize and trust the CA that issued your certificate.
Any thoughts?
<snip>
I believe you'll find the way we did it in several of my recent posts.
You'll need to configure the rest of the SSL portions of ldap.conf. In
particular, you will need to tell it where to find the CA cert. I
believe we stuck ours in /etc/pki/tls/certs/ and pointed the tlscertfile
(?) parameter to it. Hope this helps - John
11:55 a.m.
Dumbo Q a écrit :
I've managed to get past the the strangely obscure method of
installing an SSL certificate, and from the server side everything
appears to be OK. Actually its a "CACert" certificate, rather then
self signed. Using Jxplorer, I can connect the the DS using SSL,
accept the certificate, and I'm all set.
However, I am having a ton of trouble figuring out how to use an
untrusted ca for my linux user authentication. I changed
/etc/ldap.conf to use ldaps://, and it attemtps to connect as
expected. I think this would work, if I could figure out how to tell
it to accept the certificate. I get the following error message in DS
after running getent passwd.
[24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not
recognize and trust the CA that issued your certificate.
[24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not
recognize and trust the CA that issued your certificate.
Any thoughts?
I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in
/etc/ldap.conf
man ldap.conf :
TLS_CACERT <filename>
Specifies the file that contains certificates for all of
the Certificate Authorities the client will recognize.
TLS_CACERTDIR <path>
Specifies the path of a directory that contains Certifi‐
cate Authority certificates in separate individual files.
The TLS_CACERT is always used before TLS_CACERTDIR. This
parameter is ignored with GNUtls.
------------------------------------------------------------------------
--
389 users mailing list
389-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
noon
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jean-Noel Chardron wrote:
Dumbo Q a écrit :
> I've managed to get past the the strangely obscure method of
> installing an SSL certificate, and from the server side everything
> appears to be OK. Actually its a "CACert" certificate, rather then
> self signed. Using Jxplorer, I can connect the the DS using SSL,
> accept the certificate, and I'm all set.
>
> However, I am having a ton of trouble figuring out how to use an
> untrusted ca for my linux user authentication. I changed
> /etc/ldap.conf to use ldaps://, and it attemtps to connect as
> expected. I think this would work, if I could figure out how to tell
> it to accept the certificate. I get the following error message in DS
> after running getent passwd.
>
> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not
> recognize and trust the CA that issued your certificate.
> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not
> recognize and trust the CA that issued your certificate.
>
>
> Any thoughts?
>
I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in
/etc/ldap.conf
man ldap.conf :
TLS_CACERT <filename>
Specifies the file that contains certificates for all of
the Certificate Authorities the client will recognize.
TLS_CACERTDIR <path>
Specifies the path of a directory that contains Certifi‐
cate Authority certificates in separate individual files.
The TLS_CACERT is always used before TLS_CACERTDIR. This
parameter is ignored with GNUtls.
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
--
389 users mailing list
389-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
I was having a
similar issue yesterday, everything worked until I
appended more then one CA to the file in /etc/openldap/cacerts, then it
kept failing until I limited it to one CA. Are you
using a single CA?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkpCW6YACgkQ5B+8XEnAvquidwCcDcnsJTuyGaVGkfc/NEXYDzdD
3WIAnAx7FBt+G8VQYd9Zf1Vzbo7ebs/2
=lFVu
-----END PGP SIGNATURE-----
12:19 p.m.
David Christensen a écrit :
I was having a similar issue yesterday, everything worked until I
appended more then one CA to the file in /etc/openldap/cacerts, then it
kept failing until I limited it to one CA. Are you
using a single CA?
The client authenticates to a server with a single authority, so why try
to install two or more. otherwise you must use a file by CA in the
directory.
unless you speak CA chain.
12:56 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jean-Noel Chardron wrote:
David Christensen a écrit :
> I was having a similar issue yesterday, everything worked until I
> appended more then one CA to the file in /etc/openldap/cacerts, then it
> kept failing until I limited it to one CA. Are you
> using a single CA?
>
The client authenticates to a server with a single authority, so why try
to install two or more. otherwise you must use a file by CA in the
directory.
unless you speak CA chain.
--
389 users mailing list
389-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
I have two directory servers in a multmaster config using round robin
DNS so I need clients to be able to authenticate to both servers since
it will be random. It hasn't worked for me yet, but that is where I am
trying to get.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkpCaN8ACgkQ5B+8XEnAvqsc0gCfbezu9knxX1HfNNNupTwdjCEe
IX4AoIRCASuVxTrB6ugLr7U0TWvnfUTb
=xSWx
-----END PGP SIGNATURE-----
1:32 p.m.
On Wed, 2009-06-24 at 12:56 -0500, David Christensen wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jean-Noel Chardron wrote:
> David Christensen a écrit :
>> I was having a similar issue yesterday, everything worked until I
>> appended more then one CA to the file in /etc/openldap/cacerts, then it
>> kept failing until I limited it to one CA. Are you
>> using a single CA?
>>
> The client authenticates to a server with a single authority, so why try
> to install two or more. otherwise you must use a file by CA in the
> directory.
> unless you speak CA chain.
>
> --
> 389 users mailing list
> 389-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
I have two directory servers in a multmaster config using round robin
DNS so I need clients to be able to authenticate to both servers since
it will be random. It hasn't worked for me yet, but that is where I am
trying to get.
<snip>
That's exactly how we're set up (except we are not multi-master) and it
is working fine. However, one only needs the CA cert in the cacertfile
for it to work. For example, I have two DNS entries for
ldap.mycompany.com which point to my two replicas. Each replica has a
cert with ldap{1,2}.mycompany.com for the cn and that value as well as
ldap.mycompany.com as DNS entries in the subjAltName. tls_cacertfile
points to a single CA cert file (although I thought it supported
concatenated certs) containing the cert for the CA which issued the ldap
replica certs and keys. Hope this helps - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan(a)opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
12:06 p.m.
Jean-Noel Chardron a écrit :
Dumbo Q a écrit :
> I've managed to get past the the strangely obscure method of
> installing an SSL certificate, and from the server side everything
> appears to be OK. Actually its a "CACert" certificate, rather then
> self signed. Using Jxplorer, I can connect the the DS using SSL,
> accept the certificate, and I'm all set.
>
> However, I am having a ton of trouble figuring out how to use an
> untrusted ca for my linux user authentication. I changed
> /etc/ldap.conf to use ldaps://, and it attemtps to connect as
> expected. I think this would work, if I could figure out how to tell
> it to accept the certificate. I get the following error message in DS
> after running getent passwd.
>
> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does
> not recognize and trust the CA that issued your certificate.
> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does
> not recognize and trust the CA that issued your certificate.
>
>
> Any thoughts?
>
I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in
/etc/ldap.conf
man ldap.conf :
TLS_CACERT <filename>
Specifies the file that contains certificates for all of
the Certificate Authorities the client will recognize.
TLS_CACERTDIR <path>
Specifies the path of a directory that contains Certifi‐
cate Authority certificates in separate individual files.
The TLS_CACERT is always used before TLS_CACERTDIR. This
parameter is ignored with GNUtls.
or may be, to test the connection, you can skip the check of the
certificate (as i discover in the man) with the option :
TLS_REQCERT allow
>
------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
--
389 users mailing list
389-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
1:35 p.m.
On Wed, 2009-06-24 at 18:55 +0200, Jean-Noel Chardron wrote:
Dumbo Q a écrit :
> I've managed to get past the the strangely obscure method of
> installing an SSL certificate, and from the server side everything
> appears to be OK. Actually its a "CACert" certificate, rather then
> self signed. Using Jxplorer, I can connect the the DS using SSL,
> accept the certificate, and I'm all set.
>
> However, I am having a ton of trouble figuring out how to use an
> untrusted ca for my linux user authentication. I changed
> /etc/ldap.conf to use ldaps://, and it attemtps to connect as
> expected. I think this would work, if I could figure out how to tell
> it to accept the certificate. I get the following error message in DS
> after running getent passwd.
>
> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not
> recognize and trust the CA that issued your certificate.
> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not
> recognize and trust the CA that issued your certificate.
>
>
> Any thoughts?
>
I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in
/etc/ldap.conf
man ldap.conf :
TLS_CACERT <filename>
Specifies the file that contains certificates for all of
the Certificate Authorities the client will recognize.
TLS_CACERTDIR <path>
Specifies the path of a directory that contains Certifi‐
cate Authority certificates in separate individual files.
The TLS_CACERT is always used before TLS_CACERTDIR. This
parameter is ignored with GNUtls.
><snip>
I think these may be the wrong variables. If I recall correctly,
those
variables are for /etc/openldap/ldap.conf and control openldap (and
openldap related queries). pam uses /etc/ldap.conf. I believe the
variables are set like this:
ssl start_tls
tls_checkpeer yes
tls_cacertfile /usr/share/ca-certificates/CA.pem
or whatever the path happens to be. Again, I'm not an expert - just
sharing what we did that worked - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan(a)opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
1:48 p.m.
John A. Sullivan III wrote:
On Wed, 2009-06-24 at 18:55 +0200, Jean-Noel Chardron wrote:
> Dumbo Q a écrit :
>
>> I've managed to get past the the strangely obscure method of
>> installing an SSL certificate, and from the server side everything
>> appears to be OK. Actually its a "CACert" certificate, rather then
>> self signed. Using Jxplorer, I can connect the the DS using SSL,
>> accept the certificate, and I'm all set.
>>
>> However, I am having a ton of trouble figuring out how to use an
>> untrusted ca for my linux user authentication. I changed
>> /etc/ldap.conf to use ldaps://, and it attemtps to connect as
>> expected. I think this would work, if I could figure out how to tell
>> it to accept the certificate. I get the following error message in DS
>> after running getent passwd.
>>
>> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not
>> recognize and trust the CA that issued your certificate.
>> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not
>> recognize and trust the CA that issued your certificate.
>>
>>
>> Any thoughts?
>>
>>
> I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in
> /etc/ldap.conf
> man ldap.conf :
> TLS_CACERT <filename>
> Specifies the file that contains certificates for all of
> the Certificate Authorities the client will recognize.
>
> TLS_CACERTDIR <path>
> Specifies the path of a directory that contains Certifi‐
> cate Authority certificates in separate individual files.
> The TLS_CACERT is always used before TLS_CACERTDIR. This
> parameter is ignored with GNUtls.
>
>
>> <snip>
>>
I think these may be the wrong variables. If I recall correctly, those
variables are for /etc/openldap/ldap.conf and control openldap (and
openldap related queries). pam uses /etc/ldap.conf.
do "man nss_ldap" to
see the configuration variables for /etc/ldap.conf
- they are similar enough to /etc/openldap/ldap.conf to cause confusion.
I believe the
variables are set like this:
ssl start_tls
tls_checkpeer yes
tls_cacertfile /usr/share/ca-certificates/CA.pem
or whatever the path happens to be. Again, I'm not an expert - just
sharing what we did that worked - John
2:33 p.m.
I got it. I got it working with SSL. Good enough. This is what is needed to get it to
work.
ssl on
tls_cacertfile /etc/pki/tls/certs/cacert.org-root.txt
uri ldaps://rhds.example.com:636/
I removed the cacert from the ca-bundle.crt file.
________________________________
From: Rich Megginson <rmeggins(a)redhat.com>
To: General discussion list for the 389 Directory server project.
<fedora-directory-users(a)redhat.com>
Sent: Wednesday, June 24, 2009 2:48:43 PM
Subject: Re: [389-users] Trouble using self signed certificates.
John A. Sullivan III wrote:
On Wed, 2009-06-24 at 18:55 +0200, Jean-Noel Chardron wrote:
> Dumbo Q a écrit :
>
>> I've managed to get past the the strangely obscure method of installing an
SSL certificate, and from the server side everything appears to be OK. Actually its a
"CACert" certificate, rather then self signed. Using Jxplorer, I can connect the
the DS using SSL, accept the certificate, and I'm all set.
>>
>> However, I am having a ton of trouble figuring out how to use an untrusted ca for
my linux user authentication. I changed /etc/ldap.conf to use ldaps://, and it attemtps to
connect as expected. I think this would work, if I could figure out how to tell it to
accept the certificate. I get the following error message in DS after running getent
passwd.
>>
>> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not recognize
and trust the CA that issued your certificate.
>> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not recognize
and trust the CA that issued your certificate.
>>
>>
>> Any thoughts?
>>
>>
> I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in /etc/ldap.conf
> man ldap.conf :
> TLS_CACERT <filename>
> Specifies the file that contains certificates for all of
> the Certificate Authorities the client will recognize.
>
> TLS_CACERTDIR <path>
> Specifies the path of a directory that contains Certifi‐
> cate Authority certificates in separate individual files.
> The TLS_CACERT is always used before TLS_CACERTDIR. This
> parameter is ignored with GNUtls.
>
>
>> <snip>
>>
I think these may be the wrong variables. If I recall correctly, those
variables are for /etc/openldap/ldap.conf and control openldap (and
openldap related queries). pam uses /etc/ldap.conf.
do "man nss_ldap" to
see the configuration variables for /etc/ldap.conf - they are similar enough to
/etc/openldap/ldap.conf to cause confusion.
I believe the
variables are set like this:
ssl start_tls
tls_checkpeer yes
tls_cacertfile /usr/share/ca-certificates/CA.pem
or whatever the path happens to be. Again, I'm not an expert - just
sharing what we did that worked - John
3:25 a.m.
John A. Sullivan III a écrit :
On Wed, 2009-06-24 at 18:55 +0200, Jean-Noel Chardron wrote:
> Dumbo Q a écrit :
>
>> I've managed to get past the the strangely obscure method of
>> installing an SSL certificate, and from the server side everything
>> appears to be OK. Actually its a "CACert" certificate, rather then
>> self signed. Using Jxplorer, I can connect the the DS using SSL,
>> accept the certificate, and I'm all set.
>>
>> However, I am having a ton of trouble figuring out how to use an
>> untrusted ca for my linux user authentication. I changed
>> /etc/ldap.conf to use ldaps://, and it attemtps to connect as
>> expected. I think this would work, if I could figure out how to tell
>> it to accept the certificate. I get the following error message in DS
>> after running getent passwd.
>>
>> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not
>> recognize and trust the CA that issued your certificate.
>> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not
>> recognize and trust the CA that issued your certificate.
>>
>>
>> Any thoughts?
>>
>>
> I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in
> /etc/ldap.conf
> man ldap.conf :
> TLS_CACERT <filename>
> Specifies the file that contains certificates for all of
> the Certificate Authorities the client will recognize.
>
> TLS_CACERTDIR <path>
> Specifies the path of a directory that contains Certifi‐
> cate Authority certificates in separate individual files.
> The TLS_CACERT is always used before TLS_CACERTDIR. This
> parameter is ignored with GNUtls.
>
>
>> <snip>
>>
I think these may be the wrong variables. If I recall correctly, those
variables are for /etc/openldap/ldap.conf and control openldap (and
openldap related queries). pam uses /etc/ldap.conf. I believe the
variables are set like this:
ssl start_tls
tls_checkpeer yes
tls_cacertfile /usr/share/ca-certificates/CA.pem
or whatever the path happens to be. Again, I'm not an expert - just
sharing what we did that worked - John
that's correct
I apologize, I made a mistake
--
Jean-Noel Chardron
5419
days inactive
5420
days old
389-users@lists.fedoraproject.org
11 comments
5 participants
participants (5)
-
David Christensen -
Dumbo Q -
jean-Noël Chardron -
John A. Sullivan III -
Rich Megginson