LDAP SSL Problems (was: service script (/etc/init.d/ldap))

Craig White craigwhite at azapple.com
Mon Nov 14 23:13:43 UTC 2005


On Mon, 2005-11-14 at 14:53 -0800, Daniel B. Thurman wrote:
> >From: fedora-list-bounces at redhat.com
> >[mailto:fedora-list-bounces at redhat.com]On Behalf Of Craig White
> >Sent: Monday, November 14, 2005 11:58 AM
> >To: For users of Fedora Core releases
> >Subject: RE: LDAP SSL Problems (was: service script (/etc/init.d/ldap))
> >
> >
> >On Mon, 2005-11-14 at 11:25 -0800, Daniel B. Thurman wrote:
> >
> >> I think there is a perhaps a problem in the way I have
> >> created ssl certificates and may not have done it properly.
> >> I would like to request instructions for creating the slapd.pem
> >> file please?  I used to do this the old way and had a hard
> >> time trying to seperate the CA cert, unsigned cert/key and
> >> signed certs - so I dont know which one to use for ldap!
> >----
> >this is what I use...YMMV
> >
> >#### generate openldap certificate ####
> >openssl req -config /usr/share/ssl/openssl.cnf -new -x509 -days 3650 \
> >-key ca.key -out ca.cert
> >openssl genrsa -out ldap.key 1024
> >openssl req -config /usr/share/ssl/openssl.cnf -new -key ldap.key \
> >-out ldap.csr
> >openssl x509 -req -in ldap.csr -out ldap.cert -CA ca.cert -CAkey \
> >ca.key -CAcreateserial -days 3650
> >cp ca.cert /etc/ssl
> >cp ca.key /etc/ssl
> >cp ldap.key /etc/ssl
> >cp ldap.csr /etc/ssl
> >----
> >> 
> >> I noticed that there has been a change from what I am used
> >> to and that there is a new location for certificates and it is
> >> at: /etc/pki/tls specifically.  I tried all kinds of ways to
> >> get this to work and it appears that for some reason, the ldap
> >> programs is unable to find the certificate.
> >> 
> >> I added TLS* directives in /etc/ldap.conf and in
> >> /etc/openldap/slapd.conf (why the redunancy?) and put my created
> >> certs in the /etc/openldap/cacerts directory.
> >> 
> >> It appears from the ldapsearch debug output, that it will
> >> only search for certificates in /etc/pki/tls directory and
> >> in *maybe* in /etc/openldap/cacerts (see the '#' in front
> >> of that directory in the debug output.  From the debug output,
> >> it is not clear as to WHAT dir/file was attempted to be opened.
> >----
> >there is the server certs and the client certs and the CA - 
> >they are not
> >necessarily the same. The server certs are as directed
> >in /etc/openldap/slapd.conf and the client certs in typically in
> >ldap.conf (perhaps both /etc/ldap.conf and /etc/openldap/ldap.conf) as
> >the former is for padl stuff and the latter is for openldap 
> >client stuff
> >such as ldapsearch
> >----
> >> 
> >> Here is the debug output I got:
> >> 
> >> # ldapsearch -d -1 -H ldaps://ldap.cdkkt.com -b dc=cdkkt,dc=com -x
> >> ldap_create
> >> ldap_url_parse_ext(ldaps://ldap.cdkkt.com)
> >> ldap_bind_s
> >> ldap_simple_bind_s
> >> ldap_sasl_bind_s
> >> ldap_sasl_bind
> >> ldap_send_initial_request
> >> ldap_new_connection
> >> ldap_int_open_connection
> >> ldap_connect_to_host: TCP ldap.cdkkt.com:636
> >> ldap_new_socket: 3
> >> ldap_prepare_socket: 3
> >> ldap_connect_to_host: Trying 216.99.218.205:636
> >> ldap_connect_timeout: fd: 3 tm: -1 async: 0
> >> ldap_ndelay_on: 3
> >> ldap_is_sock_ready: 3
> >> ldap_ndelay_off: 3
> >> TLS: could not load client CA list 
> >(file:`',dir:`/etc/pki/tls/slapd.pem # /etc/openldap/cacerts').
> >> TLS: error:0200A002:system library:opendir:No such file or 
> >directory ssl_cert.c:752
> >> TLS: error:140D7002:SSL 
> >routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:754
> >> ldap_perror
> >> ldap_bind: Can't contact LDAP server (-1)
> >> 
> >> So what does it all mean?  What file was attempted and why is it
> >> that my TLS* directives are seemingly ignored in both places
> >> specificed in /etc/ldap.conf and in /etc/openldap/slapd.conf?
> >----
> >I don't know...I'm not one to debug openssl
> >----
> >> 
> >> I even copied to put my certificate in /etc/pki/tls/slapd.pem
> >> since no slapd.pem existed there and oddly enough, a slapd.pem
> >> did exists in: /etc/pki/tls/certs/slapd.pem - supposedly created
> >> when I setup kerberos!
> >> 
> >> Something is royally screwed up somewhere!  Please help!
> >----
> >You might want to contact ldap at umich.edu or ldap-interop list
> >http://lists.fini.net/mailman/listinfo/ldap-interop
> >
> >You also might want to look through Turbo's guide (software projects)
> >
> >http://www.bayour.com/
> >
> >Craig
> >
> >
> 
> Um, I tried your method for creating certs and it does
> not work in FC4 - I think you might be surprised that
> the "old way of doing things" has changed.  This is what
> I was trying to tell you earlier.
----
there never was one...I create it. I didn't give you the entire
script...only the relevant portion but perhaps I did forget to give you
the top part of my script...

#!/bin/sh

cd /usr/share/ssl/certs
mkdir /etc/ssl

I don't think it makes a difference whether you put the certs you
generate in /etc/ssl or /etc/pki/tls or wherever, as long as the
applications know where to find them. Simply cd into whichever directory
openssl.cnf is located to generate the certs and copy them to wherever
you choose. I thought the point was to show you the commands that I used
to create the CA and then the certs themselves and those with / without
keys.
----
> 
> First off, there is no /etc/ssl directory - I think this
> is now /etc/pki
> 
> Second, the openssl is looking for /usr/share/ssl/openssl.cnf
> of which /etc/share/ssl is no longer there.  I think they moved
> things around so that openssl.cnf is now in /etc/pki/tls so
> in order to get openssl to work, you may now need to define
> where the openssl.cnf file on the command line.
> 
> openssl is probably being moved around.  I have NO CLUE what
> is going on with openssl and FC4 - perhaps it is still a work
> in progress.  dunno.
> 
> Another thing,  when I was doing kerberos and got it running,
> there is a definite bug in /etc/init.d/ldap, line 74 where
> kinit was not found.  The '$' was missing so that it should
> be $kinit and not stand-alone kinit since the script does not
> have the full pathname to kinit.
----
I don't have access to my FC4 machine at the moment - kinit part
of /etc/init.d/ldap ?  Huh?
----
> 
> FC4 has a little ways to go to get things right again... sigh.
> 
> I will play around some more before I give it up altogther.
> 
> Thanks for your help tho!
----
don't give up - try the ldap lists

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the users mailing list