Chris Frederick schrieb:
Hi all,
I'm working on migrating a network to allow for more users and easier
scaling. I'm also splitting up the main server into separate tasks. As
long as I'm doing all this I thought it would be prudent to add an LDAP
server for authentication/email/etc... I'm running gentoo-hardened on
the ldap server and I have been following the gentoo ldap guides here:
http://www.gentoo.org/doc/en/ldap-howto.xml
http://gentoo-wiki.com/HOWTO_LDAPv3
This got me a decent setup, and everything works good, but now I'm
trying to secure it using TLS and I can't seem to get it working. I've
followed both guides, searched google, and still come up with nothing.
I've verified the CN is correct, I've copied the cert from the server to
the test client, and I've verified that the certs are ok using openssl.
running 'ldapsearch -H ldap://valid-cn -D "cn=Manager,dc=secret,dc=com"
-W' lists everything that I've imported, but adding the -Z to the
command exits with this:
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Turn up debugging, there should be a more specific error somewhere like
"unknown CA" or "self signed cert" (slapd doesn't like self signed certs").
I'm using the same common name for the ldap:// protocol as was entered
in the cert. Here's the relevant config sections:
/etc/openldap/slapd.conf (server only)
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ldap-key.pem
TLS_REQCERT allow
I don't see TLSCACertificateFile pointing to your CA.
Also, I've been looking for a decent guide to help with installation and
maintenance for LDAP and I'm coming up dead. I've even checked the
libraries and bookstores, and apart from a 2-8 page reference in a few
general administrative books, I've found nothing. Can anyone recommend
a good book/site on how to maintain/administer/install LDAP?
Not really. Remember, LDAP is just a protocol and management of
implementations differ. Personally I haven't found much 10.000 feet kind
of docs which makes thinks hard as you'll see the big picture way too
late (after lots of painful errors due to misconceptions). Once you know
Ldap+Sasl+ssl+kerberos and how all this might (not) work together it's
just reading Changelogs and manpages to keep you up to date with your
implementation.
I've spent
over a week on this and it's still not operational and I'm starting to
pull my hair out.
You're welcome ;)
cheers
Paul
--
[email protected] mailing list
