Dieter Kluenter schrieb: > Karsten Römke <[EMAIL PROTECTED]> writes: > >> Dieter Kluenter schrieb: >>> Quanah Gibson-Mount <[EMAIL PROTECTED]> writes: >>> >>>> --On Wednesday, August 23, 2006 8:18 PM +0200 Karsten Römke >>>> <[EMAIL PROTECTED]> wrote: > [...] >>>> These do not look like valid parameters to ldap.conf(5) for OpenLDAP. >>>> I'm guessing these are the parameters for PAM's ldap.conf. You need >>>> to properly configure the appropriate ldap.conf for openldap and PAM >>>> separately. I'm guessing you currently have PAM configuration lines >>>> in the ldap.conf that would be used by ldapsearch, and nothing in the >>>> ldap.conf that would be used by PAM. But maybe not, you don't note >>>> the location of your ldap.conf file. >>> In addition to Quanah's comments I would like to see a condensed >>> output of 'openssl x509 -in servercert.pem -text'. >>> The data of modules, signature algorithm and certificate are not >>> required. >>> >>> -Dieter >> Hello, >> in the moment I do not really know what to do :-) >> I appended the output from openssl ... >> Should I start with a nearly empty ldap.conf on client side? >> I use that one which is generated by yast, the suse >> administration tool and without encryption this >> file works. > > Please note that there are 2 ldap.conf files as Quanah lined out. The > file /etc/openldap/ldap.conf is read by any client compiled with > libldap and might be read by other clients. > The file /etc/ldap.conf contains configuration for pam_ldap. > To configure properly /etc/openldap/ldap.conf read man ldap.conf(5) > >> oracle:/etc/openldap # openssl x509 -in servercrt.pem -text >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: 2 (0x2) >> Signature Algorithm: md5WithRSAEncryption >> Issuer: C=DE, ST=NRW, L=Bonn, O=hhb, OU=it, >> CN=oracle.hhb.bonn.de/[EMAIL PROTECTED] >> Validity >> Not Before: Aug 23 14:38:15 2006 GMT >> Not After : Aug 18 14:38:15 2026 GMT >> Subject: C=DE, ST=NRW, L=bonn, O=hhb, OU=it, >> CN=oracle.hhb.bonn.de/[EMAIL PROTECTED] >> Subject Public Key Info: > [...] >> X509v3 Subject Key Identifier: >> 1C:78:8F:7C:76:75:2A:8E:EE:DD:8A:C0:AA:A7:AE:96:D8:38:79:84 >> X509v3 Authority Key Identifier: >> >> keyid:90:4F:E9:05:AA:38:FC:D9:21:45:B0:BD:A5:2E:B3:5B:E9:59:38:AF >> >> DirName:/C=DE/ST=NRW/L=Bonn/O=hhb/OU=it/CN=oracle.hhb.bonn.de/[EMAIL >> PROTECTED] > > The common name of your host is 'oracle.hhb.bonn.de' This address is > checked and validated by clients, that is 'localhost' or any other > alias adress is not a valid adress anymore, unless you have declared a > subject alternate name for this cn. > Please check the keyid of X509v3 Authority Key Identifier with your > cacert.pem > > -Dieter > Hi Dieter, I havn't time today to look for the problem. What do you mean with the sentence > Please check the keyid of X509v3 Authority Key Identifier with your > cacert.pem sorry, if the question is stupid but I never looked in the details of openssl - and up to now it wasn't neccessary :-)
I've read, that I have to set the common name to my fqdn (of the server) but I don't understand the reason. What means: checked and validated by the clients? - must the name resolv to an ip or what means validated? Karsten --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
