[389-users] OS to authenticate to DS using TLS
John A. Sullivan III
jsullivan at opensourcedevel.com
Wed Jun 17 14:46:37 UTC 2009
I believe we encountered this problem, too, and found we needed to
import the CA cert into the nss database for the user running
centos-idm-console. The details are in that long, long, post - John
On Wed, 2009-06-17 at 09:12 -0500, Doug Coats wrote:
> Thanks Dave - that worked.
>
> I am still some problem with the certificates though.
>
> If it I try this in the directory where the certificates are:
>
> openssl s_client -connect localhost:636 -CAfile filename
>
> I get a listing of the certificates without errors.
>
> If I try:
>
> ldapsearch -H ldaps://localhost:636
>
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> If I start the console using:
>
> centos-idm-console -a https://127.0.0.1:9830
>
> I have to "Accept" the certificate each time.
>
> It looks like there may be some problem with the certificate or some
> setting in DS that still needs to be switched on.
>
> What do you think?
>
> Thanks again for all of your help!
>
>
> On Wed, Jun 17, 2009 at 7:58 AM, David (Dave) Donnan
> <david.donnan at thalesgroup.com> wrote:
> Hello. I think I understand the problem.
>
> I copied the CA cert locally to /tmp/CAcert.txt
>
> I then ran 'system-config-authentication' and used a URL like
> the following (where it says 'Download CA Certificate'):
>
> file:///tmp/CAcert.txt
>
> It's a lazy man's approach but it worked.
>
> Cdlt, Dave
> --------
>
>
>
> And John A. Sullivan III wrote:
> > On Tue, 2009-06-16 at 19:25 -0500, Doug Coats wrote:
> >
> > > So my next hurdle I am tackling SSL certificates. I produced
> > > self-signed certificates and have installed them in through the
> > > Management Console. I can run the Management Console using a secure
> > > connection.
> > >
> > > Linux uses DS to authenticate (configured using System >
> > > Administration > Authentication and enableing LDAP support). If I try
> > > to "Use TLS to encrypt connection" I can't program a URL that will let
> > > me download the CA Certificate successfully. I hope that all made
> > > sence.
> > >
> > > Am I missing something? Do I need this?
> > >
> > <snip>
> >
> > Sorry, I don't quite follow. I know it was a difficult to follow post
> > but I did post how we set up SSL communications including the client
> > side setup. We simply copied the CA cert to the clients (servers using
> > LDAP for authentication) via scp - John
> >
>
>
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
More information about the 389-users
mailing list