[Fedora-directory-users] Using certs from MS CA server

Joshua M. Miller joshua at itsecureadmin.com
Mon Jul 16 16:19:29 UTC 2007 

Hi David,

If you are using a self-signed certificate (ie, the CN on the CA cert is 
the same domain as the CN on the LDAP cert) then OpenLDAP will reject 
the certificate by default.

You can see from the message that it found the certificate by the 
message "certificate verify failed" in the error message.

If you want to keep using this certificate, you can add the following 
line to your /etc/openldap/ldap.conf:

TLS_REQCERT never

This will allow ldapsearch to function while ignoring this error.

Please note the consequences of this action in the man page for ldap.conf.

Good luck,
--
Joshua M. Miller - RHCE,VCP


J Davis wrote:
> Hello,
> 
> I have FDS 1.0.4 running using an SSL certificate generated by an 
> Microsoft windows 2003 CA server.
> I choose this method as opposed to the setupssl.sh script from the wiki 
> because I have read in the list archives that it is the best way to 
> avoid trust issues when setting up PassSync over SSL between FDS and AD. 
> I'm having a hard time finding references for configuring this properly 
> and I know very little about SSL certificates so I'm making some guesses 
> and likely missing a crucial step or two.
> The problem is that when trying to bind to the FDS using SSL I get 
> certificate verification errors.
> 
>  > # ldapsearch -x -H ldaps://localhost/
>  > ldap_bind: Can't contact LDAP server (-1)
>  >         additional info: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> 
> Here's how I set up the certificates...
> 1. Generated a CSR using the FDS console wizard and submitted it to the 
> MS CA.
> 2. Imported the CA certificate (called "it") and the signed 
> "server-cert" resulting from step 1 from the MS CA using the FDS admin 
> console.
> 3. Enabled SSL (port 636) in the directory server using server-cert from 
> step 1.
> 
> I used certutil to display the list of certificates in the FDS cert db.
>  > [alias]# ../shared/bin/certutil -L -d . -P slapd-<instance>-
>  > server-cert    u,u,u
>  > it                   CT,,
> 
> Then verified that "server-cert" was considered valid.
>  > [alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -P 
> slapd-<instance>-
>  > Enter Password or Pin for "NSS Certificate DB":
>  > certutil-bin: certificate is valid
> 
> I also verified that that I can connect using openssl client.
>  > # openssl s_client -connect localhost:636 -showcerts -CAfile 
> /path/to/it_ca.crt
>   --snip--
>  >     Verify return code: 0 (ok)
>  > ---
> 
> Any hints as to what I might be doing wrong are greatly appreciated.
> 
> Thanks,
> -Jake
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

More information about the 389-users mailing list