[389-users] Start TLS and 389 Directory
Kyle Flavin
kyle.flavin at gmail.com
Fri Sep 28 03:11:46 UTC 2012
Hi, I've been struggling to setup 389 Directory server with Start TLS.
I have a multi-master replication working with four server. From an
external client running openldap's ldapsearch, I'm trying to do the
following:
ldapsearch -ZZ -x -h "myserver" -b "dc=example,dc=com" -D "cn=Directory
Manager" -W ""
I get an unsupported protocol error on servers that do not have
certificates installed.
In an attempt to resolve this, I tried to install a self-signed cert. I
created a ca.cert and a server.crt, and imported them into the Directory
Server. I then imported the ca.cert to the admin server. When I attempted
to import the same server.crt to the admin server, I got an error message
stating the certificate was for another host. Since the admin server and
directory server reside on the same host, if I generate a new request, it
will have an identical host name (I'm not sure if that's relevant to my
issue). After all of that, I now receive a "Connect Error
SSL3_GET_SERVER_CERTIFICATE:certificate verify failed". I'm guessing I
need to import the root cert onto the client somehow, but I'm not sure how
to go about doing that.
This has become pretty time consuming, so I was hoping that someone more
knowledgeable could confirm that I'm at least travelling down the right
path. I've been following this Red Hat document:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_SSL.html#Starting_the_Server_with_SSL_Enabled-Enabling_SSL_in_the_DS_Admin_Server_and_Console
Thanks,
Kyle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120927/2ee12ad1/attachment.html>
More information about the 389-users
mailing list