[Fedora-directory-users] ssl certificate problem
Paolo Ercolani
paolo.ercolani at postel.it
Tue Apr 17 10:13:13 UTC 2007
Paolo Ercolani wrote:
Hi. I'm new to this list and it's a week i'm really fighting with
directory server. I followed some howtos, i downloaded a lot of
documents but i can't get out of trouble. I need to make login from
my linux boxes on ldap directory server. If i try to use my test
user in clear mode i can do that. The problem is when i try to
configure a self-signed certificate. I'll not describe all the tests
i've done, i'll tell you just the last!! I created my cacert.pem on
the ldapserver and i installed from the console. It goes and it's
ok. Then i used openssl to generate a private key and a certificate
request then i signed it. That's what i did:
openssl genrsa -out privkey.pem 2048
openssl req -new -key privkey.pem -out PEM.csr
openssl ca -cert cacert.pem -in PEM.csr -out cert.pem
I copied cacert.pem, privkey.pem and cert.pem on the client and i
configured ldap.conf on it:
URI ldaps://<ldapserver>:636
BASE ou=UTENTI,o=postel,c=com
host kingu.postel.com
TLS_REQCERT allow
TLS_CHECKPEER yes
TLS_CACERTDIR /etc/ssl
TLS_CACERT /etc/ssl/cacert.pem
TLS_CERT /etc/ssl/cert.pem
TLS_KEY /etc/ssl/privkey.pem
I activated ssl on my ldap server and i installed my cacert.pem on
it. i didn't anything else. I tried also to generate a certificate
request from directory server and to sign it with my cacert.pem.
Then i imported it like my server-cert. It imported it but login
still didn't go.
>I'm unclear on this last step. What do you mean by login still didn't
go? Because the access log excerpt below >would seem to indicate that
the os did search for and find the login name.
Yes. Reading logs it seems login goes ok. But my client can't really
login and i don't know what i can check. Client asks me again for
password, but i'm sure it's the right one. Have you any ideas for
checking something???
Thanks in advance.
Paolo.
More information about the 389-users
mailing list