[Fedora-directory-users] Using certs from MS CA server
J Davis
mrsalty0 at gmail.com
Mon Jul 16 19:14:19 UTC 2007
Thanks, Joshua. This is very helpful.
-Jake
On 7/16/07, Joshua M. Miller <joshua at itsecureadmin.com> wrote:
>
> Hi David,
>
> If you are using a self-signed certificate (ie, the CN on the CA cert is
> the same domain as the CN on the LDAP cert) then OpenLDAP will reject
> the certificate by default.
>
> You can see from the message that it found the certificate by the
> message "certificate verify failed" in the error message.
>
> If you want to keep using this certificate, you can add the following
> line to your /etc/openldap/ldap.conf:
>
> TLS_REQCERT never
>
> This will allow ldapsearch to function while ignoring this error.
>
> Please note the consequences of this action in the man page for ldap.conf.
>
> Good luck,
> --
> Joshua M. Miller - RHCE,VCP
>
>
> J Davis wrote:
> > Hello,
> >
> > I have FDS 1.0.4 running using an SSL certificate generated by an
> > Microsoft windows 2003 CA server.
> > I choose this method as opposed to the setupssl.sh script from the wiki
> > because I have read in the list archives that it is the best way to
> > avoid trust issues when setting up PassSync over SSL between FDS and AD.
> > I'm having a hard time finding references for configuring this properly
> > and I know very little about SSL certificates so I'm making some guesses
> > and likely missing a crucial step or two.
> > The problem is that when trying to bind to the FDS using SSL I get
> > certificate verification errors.
> >
> > > # ldapsearch -x -H ldaps://localhost/
> > > ldap_bind: Can't contact LDAP server (-1)
> > > additional info: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> >
> > Here's how I set up the certificates...
> > 1. Generated a CSR using the FDS console wizard and submitted it to the
> > MS CA.
> > 2. Imported the CA certificate (called "it") and the signed
> > "server-cert" resulting from step 1 from the MS CA using the FDS admin
> > console.
> > 3. Enabled SSL (port 636) in the directory server using server-cert from
> > step 1.
> >
> > I used certutil to display the list of certificates in the FDS cert db.
> > > [alias]# ../shared/bin/certutil -L -d . -P slapd-<instance>-
> > > server-cert u,u,u
> > > it CT,,
> >
> > Then verified that "server-cert" was considered valid.
> > > [alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -P
> > slapd-<instance>-
> > > Enter Password or Pin for "NSS Certificate DB":
> > > certutil-bin: certificate is valid
> >
> > I also verified that that I can connect using openssl client.
> > > # openssl s_client -connect localhost:636 -showcerts -CAfile
> > /path/to/it_ca.crt
> > --snip--
> > > Verify return code: 0 (ok)
> > > ---
> >
> > Any hints as to what I might be doing wrong are greatly appreciated.
> >
> > Thanks,
> > -Jake
> >
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20070716/6bb9a8bf/attachment.html>
More information about the 389-users
mailing list