1:05 p.m.
Just basic stuff...I promise I have been through the wiki and the
Administrator's guide (managing SSL and SASL) several times.
Using openssl generated CA certificate and used that to sign CSR's from
console application and loaded them all into console application. Have
restarted FDS and it seems to be happy - but just to confirm...
lifted from /opt/fedora-ds/slapd-srv1/logs/errors
[09/Dec/2005:08:33:47 -0700] - Fedora-Directory/1.0.1 B2005.342.165
starting up
[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in
backend userRoot, attempting to create one...
[09/Dec/2005:08:33:47 -0700] - Key for cipher AES successfully generated
and stored
[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher 3DES in
backend userRoot, attempting to create one...
[09/Dec/2005:08:33:47 -0700] - Key for cipher 3DES successfully
generated and stored
[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in
backend NetscapeRoot, attempting to create one...
[09/Dec/2005:08:33:48 -0700] - Key for cipher AES successfully generated
and stored
[09/Dec/2005:08:33:48 -0700] - No symmetric key found for cipher 3DES in
backend NetscapeRoot, attempting to create one...
[09/Dec/2005:08:33:48 -0700] - Key for cipher 3DES successfully
generated and stored
[09/Dec/2005:08:33:48 -0700] - slapd started. Listening on All
Interfaces port 389 for LDAP requests
[09/Dec/2005:08:33:48 -0700] - Listening on All Interfaces port 636 for
LDAPS requests
MY PROBLEM
# ldapsearch -ZZ '(uid=jim)'
ldap_start_tls: Connect error (-11)
additional info: Start TLS request accepted.Server willing to
negotiate SSL.
# tail -n4 /opt/fedora-ds/slapd-srv1/logs/access
[09/Dec/2005:11:55:26 -0700] conn=83 op=5 fd=68 closed - U1
[09/Dec/2005:12:00:58 -0700] conn=84 fd=68 slot=68 connection from
127.0.0.1 to 127.0.0.1
[09/Dec/2005:12:00:58 -0700] conn=84 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[09/Dec/2005:12:00:58 -0700] conn=84 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[09/Dec/2005:12:00:58 -0700] conn=84 op=-1 fd=68 closed - Encountered
end of file.
# tail -n 7 /etc/openldap/ldap.conf
URI ldap://srv1.clsurvey.com
HOST srv1.clsurvey.com
BASE dc=clsurvey,dc=com
TLS_CACERTDIR /etc/ssl
TLS_CACERT server.crt
pam_password md5
TLS_REQCERT allow
My thinking is that this somehow has something to do with the TLS_CACERT
in /etc/openldap/ldap.conf (the certificate for the client).
Would this be the issue?
Is there a better method for creating the client certificate from either
the CA certificate (generated by openssl) or from the FDS Server
Certificate (also generated by openssl)?
Craig
1:31 p.m.
My thinking is that this somehow has something to do with the
TLS_CACERT
in /etc/openldap/ldap.conf (the certificate for the client).
In general most folk don't need client certs, but AFAIK the openldap
ldapsearch
_requires_ that you present a client cert.
Would this be the issue?
Probably yes. Shouldn't you be using a user-specific ldap.conf for your
client-side config ?
Is there a better method for creating the client certificate from
either
the CA certificate (generated by openssl) or from the FDS Server
Certificate (also generated by openssl)?
Provided the client cert was signed by the same CA as the server cert,
you should be ok. The client cert has no relationship per se with the
server cert.
3:20 p.m.
>My thinking is that this somehow has something to do with the TLS_CACERT
>in /etc/openldap/ldap.conf (the certificate for the client).
>
>
In general most folk don't need client certs, but AFAIK the openldap
ldapsearch
_requires_ that you present a client cert.
by default, yes. That's what we call a "safe" default. If you specify
"TLS_REQCERT never", as documented in ldap.conf(5), that does the trick.
>Would this be the issue?
>
>
Probably yes. Shouldn't you be using a user-specific ldap.conf for your
client-side config ?
>Is there a better method for creating the client certificate from either
>the CA certificate (generated by openssl) or from the FDS Server
>Certificate (also generated by openssl)?
>
>
Provided the client cert was signed by the same CA as the server cert,
you should be ok. The client cert has no relationship per se with the
server cert.
If the client's CA is not the same as the server's CA, you need the server
to know about the CA's cert, and let it know it's trusted. I don't know
the details for FDS, though. Note that if the client is to verify the
srrver's CA, the same issue with reversed players arises.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
Ing. Pierangelo Masarati
Responsabile Open Solution
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati(a)sys-net.it
------------------------------------------
1:31 p.m.
Craig White wrote:
Just basic stuff...I promise I have been through the wiki and the
Administrator's guide (managing SSL and SASL) several times.
Using openssl generated CA certificate and used that to sign CSR's from
console application and loaded them all into console application. Have
restarted FDS and it seems to be happy - but just to confirm...
lifted from /opt/fedora-ds/slapd-srv1/logs/errors
[09/Dec/2005:08:33:47 -0700] - Fedora-Directory/1.0.1 B2005.342.165
starting up
[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in
backend userRoot, attempting to create one...
[09/Dec/2005:08:33:47 -0700] - Key for cipher AES successfully generated
and stored
[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher 3DES in
backend userRoot, attempting to create one...
[09/Dec/2005:08:33:47 -0700] - Key for cipher 3DES successfully
generated and stored
[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in
backend NetscapeRoot, attempting to create one...
[09/Dec/2005:08:33:48 -0700] - Key for cipher AES successfully generated
and stored
[09/Dec/2005:08:33:48 -0700] - No symmetric key found for cipher 3DES in
backend NetscapeRoot, attempting to create one...
[09/Dec/2005:08:33:48 -0700] - Key for cipher 3DES successfully
generated and stored
[09/Dec/2005:08:33:48 -0700] - slapd started. Listening on All
Interfaces port 389 for LDAP requests
[09/Dec/2005:08:33:48 -0700] - Listening on All Interfaces port 636 for
LDAPS requests
MY PROBLEM
# ldapsearch -ZZ '(uid=jim)'
ldap_start_tls: Connect error (-11)
additional info: Start TLS request accepted.Server willing to
negotiate SSL.
Looks like openldap and FDS are not responding to the startTLS operation
the same way. Try
ldapsearch -v ...
or
ldapsearch -d 1 ...
# tail -n4 /opt/fedora-ds/slapd-srv1/logs/access
[09/Dec/2005:11:55:26 -0700] conn=83 op=5 fd=68 closed - U1
[09/Dec/2005:12:00:58 -0700] conn=84 fd=68 slot=68 connection from
127.0.0.1 to 127.0.0.1
[09/Dec/2005:12:00:58 -0700] conn=84 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[09/Dec/2005:12:00:58 -0700] conn=84 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[09/Dec/2005:12:00:58 -0700] conn=84 op=-1 fd=68 closed - Encountered
end of file.
# tail -n 7 /etc/openldap/ldap.conf
URI ldap://srv1.clsurvey.com
HOST srv1.clsurvey.com
BASE dc=clsurvey,dc=com
TLS_CACERTDIR /etc/ssl
TLS_CACERT server.crt
pam_password md5
TLS_REQCERT allow
My thinking is that this somehow has something to do with the TLS_CACERT
in /etc/openldap/ldap.conf (the certificate for the client).
Would this be the issue?
Is there a better method for creating the client certificate from either
the CA certificate (generated by openssl) or from the FDS Server
Certificate (also generated by openssl)?
Craig
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
2:13 p.m.
On Fri, 2005-12-09 at 12:31 -0700, Richard Megginson wrote:
Craig White wrote:
>Just basic stuff...I promise I have been through the wiki and the
>Administrator's guide (managing SSL and SASL) several times.
>
>Using openssl generated CA certificate and used that to sign CSR's from
>console application and loaded them all into console application. Have
>restarted FDS and it seems to be happy - but just to confirm...
>
>lifted from /opt/fedora-ds/slapd-srv1/logs/errors
>[09/Dec/2005:08:33:47 -0700] - Fedora-Directory/1.0.1 B2005.342.165
>starting up
>[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in
>backend userRoot, attempting to create one...
>[09/Dec/2005:08:33:47 -0700] - Key for cipher AES successfully generated
>and stored
>[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher 3DES in
>backend userRoot, attempting to create one...
>[09/Dec/2005:08:33:47 -0700] - Key for cipher 3DES successfully
>generated and stored
>[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in
>backend NetscapeRoot, attempting to create one...
>[09/Dec/2005:08:33:48 -0700] - Key for cipher AES successfully generated
>and stored
>[09/Dec/2005:08:33:48 -0700] - No symmetric key found for cipher 3DES in
>backend NetscapeRoot, attempting to create one...
>[09/Dec/2005:08:33:48 -0700] - Key for cipher 3DES successfully
>generated and stored
>[09/Dec/2005:08:33:48 -0700] - slapd started. Listening on All
>Interfaces port 389 for LDAP requests
>[09/Dec/2005:08:33:48 -0700] - Listening on All Interfaces port 636 for
>LDAPS requests
>
>MY PROBLEM
># ldapsearch -ZZ '(uid=jim)'
>ldap_start_tls: Connect error (-11)
> additional info: Start TLS request accepted.Server willing to
>negotiate SSL.
>
>
Looks like openldap and FDS are not responding to the startTLS operation
the same way. Try
ldapsearch -v ...
or
ldapsearch -d 1 ...
----
OK - instructions don't entirely cover the issue when you use openldap
client version of ldapsearch
ldapsearch -x -ZZ '(uid=jim)' # no problem
the -x was still required for ssl (ldaps://server:636 and
ldap://server:389) when not using SASL
thanks
and thanks David - it helped clarify things
Craig
6713
days inactive
6713
days old
389-users@lists.fedoraproject.org
4 comments
4 participants
participants (4)
-
Craig White -
David Boreham -
Pierangelo Masarati -
Rich Megginson