[Fedora-directory-users] Using certs from MS CA server

J Davis mrsalty0 at gmail.com
Mon Jul 16 19:14:19 UTC 2007 

Thanks, Joshua. This is very helpful.

-Jake



On 7/16/07, Joshua M. Miller <joshua at itsecureadmin.com> wrote:
>
> Hi David,
>
> If you are using a self-signed certificate (ie, the CN on the CA cert is
> the same domain as the CN on the LDAP cert) then OpenLDAP will reject
> the certificate by default.
>
> You can see from the message that it found the certificate by the
> message "certificate verify failed" in the error message.
>
> If you want to keep using this certificate, you can add the following
> line to your /etc/openldap/ldap.conf:
>
> TLS_REQCERT never
>
> This will allow ldapsearch to function while ignoring this error.
>
> Please note the consequences of this action in the man page for ldap.conf.
>
> Good luck,
> --
> Joshua M. Miller - RHCE,VCP
>
>
> J Davis wrote:
> > Hello,
> >
> > I have FDS 1.0.4 running using an SSL certificate generated by an
> > Microsoft windows 2003 CA server.
> > I choose this method as opposed to the setupssl.sh script from the wiki
> > because I have read in the list archives that it is the best way to
> > avoid trust issues when setting up PassSync over SSL between FDS and AD.
> > I'm having a hard time finding references for configuring this properly
> > and I know very little about SSL certificates so I'm making some guesses
> > and likely missing a crucial step or two.
> > The problem is that when trying to bind to the FDS using SSL I get
> > certificate verification errors.
> >
> >  > # ldapsearch -x -H ldaps://localhost/
> >  > ldap_bind: Can't contact LDAP server (-1)
> >  >         additional info: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> >
> > Here's how I set up the certificates...
> > 1. Generated a CSR using the FDS console wizard and submitted it to the
> > MS CA.
> > 2. Imported the CA certificate (called "it") and the signed
> > "server-cert" resulting from step 1 from the MS CA using the FDS admin
> > console.
> > 3. Enabled SSL (port 636) in the directory server using server-cert from
> > step 1.
> >
> > I used certutil to display the list of certificates in the FDS cert db.
> >  > [alias]# ../shared/bin/certutil -L -d . -P slapd-<instance>-
> >  > server-cert    u,u,u
> >  > it                   CT,,
> >
> > Then verified that "server-cert" was considered valid.
> >  > [alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -P
> > slapd-<instance>-
> >  > Enter Password or Pin for "NSS Certificate DB":
> >  > certutil-bin: certificate is valid
> >
> > I also verified that that I can connect using openssl client.
> >  > # openssl s_client -connect localhost:636 -showcerts -CAfile
> > /path/to/it_ca.crt
> >   --snip--
> >  >     Verify return code: 0 (ok)
> >  > ---
> >
> > Any hints as to what I might be doing wrong are greatly appreciated.
> >
> > Thanks,
> > -Jake
> >
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20070716/6bb9a8bf/attachment.html>

More information about the 389-users mailing list