Le 12/12/2011 21:07, Howard Chu a écrit :
rey sebastien wrote:
Le 12/12/2011 19:24, Howard Chu a écrit :
reyman wrote:
You have a self signed certificate,
Correct.
so you don't need to verify your certificate.
When you activate the tls on ldap, you only need this two lines,
and you don't
need the line with certificate verification*olcTLSCACertificateFile
: *
Wrong.
It true and false, with debian and openLdap compiled with GnuTLS (my
case), i
read this documentation :
http://wiki.debian.org/LDAP/OpenLDAPSetup and they said :
Pure garbage.
Procedure:
You're going to need the gnutls certificate generator: certtool
<http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html>.
Run these two commands to generate a new self-signed key (into the
current
working directory):
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --outfile
ca-cert.pem
Then, update your certificate locations in /etc/ldap/slapd.conf
(TLSCertificateFile points to ca-cert.pem and TLSCertificateKeyFile
points to
ca-key.pem), *comment out TLSCACertificateFile*, and change
*TLSVerifyClient
to never.*
In /etc/ldap/ldap.conf, comment out TLS_CACERT and change TLS_REQCERT
to never.
This is utterly bogus. Turning off these checks disables any spoofing
detection; you might as well run without TLS at all.
IMHO i know this problem but i think this is better than nothing, and
actually i have nothing. I wait for valid certificate...
And sorry but your RTFM answer doesn't help me to resolve this problem
with gnutls and debian, i take many hours to find a valid solution in my
use case, and the manual doesn't help me particulary on this point.
OpenLdap is a great software, but documentation it's a little "cryptic"
for beginner like me, so i think it's easy to be rude with beginner on
many points.
Best regards,
SR.
Since the certificate is self-signed, we can't have gnutls trying to
verify it
(hence the never), otherwise it will never run.
And RTFM is a little violent, i try to help with my little
experience, i'm not
an expert for sure.
RTFM is exactly the correct response.
Best regards,
SR.
RTFM.
http://www.openldap.org/doc/admin24/tls.html
On Mon, Dec 12, 2011 at 12:31 PM, Jayavant Patil
<[email protected]
<mailto:[email protected]>> wrote:
Hi,
>On Mon, Dec 12, 2011 at 4:19 PM, reyman <[email protected]
<mailto:[email protected]>> wrote:
>With the option -ZZ i think, try this
|>ldapsearch -x -LLL -ZZ -d 150|
Yeah, It shows output containing ber_dump, ldap_write,ldap_read,
tls_write, tls_read etc. But at the end is shows the following:
TLS certificate verification: Error, self signed certificate
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_
CERTIFICATE:certificate verify failed (self signed certificate).
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
signed certificate)
Why it shows an error ? and how to resolve this?
and when I do ldapsearch with -ZZ option it gives error
$ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -w cluster -b
"ou=People,dc=abc,dc=com" "uid=ldap_6" -h n0 -ZZ
ldap_initialize( ldap://n0 )
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>On Mon, Dec 12, 2011 at 11:21 AM, Jayavant Patil
<[email protected] <mailto:[email protected]>>
wrote:
>>Hi,
>> I am using openldap-2.4.19-4.x86_64 on fedora 12 machine. I
have enabled openldap SSL/TLS. How do I know >>(test) that I am
using SSL/TLS connections instead of normal ldap:///?
