No need to specify CSR file olcTLSCertificateFile: /etc/openldap/cacerts/wildcard.securesites.com.csr. CSR is just used to get certificate, specify your certificate for attribute olcTLSCertificateFile
Thanks Vishesh Kumar http://www.linuxmantra.com/ On Sat, Jun 15, 2013 at 6:52 PM, Jason Brandt <[email protected]>wrote: > You would only specify the CA file if your wildcard file contains the root > CA chain. Otherwise it is also advisable to download your root CA chain > file, and specify it with the olcTLSCACertificateFile directive. To > clarify for you, your certificate file is NOT a CA file. The CA files are > root files you get from your issuing Certificate Authority. > > > On Fri, Jun 14, 2013 at 3:44 PM, Dan White <[email protected]> wrote: > >> On 06/14/13 16:28 -0400, Rodney Simioni wrote: >> >>> So you are saying remove those TLS lines from /etc/openldap/ldap.conf >>> and put them in the ldif file as: >>> >>> olcTLSCACertificateFile: /etc/openldap/cacerts/** >>> wildcard.securesites.com.cert >>> olcTLSCertificateFile: /etc/openldap/cacerts/** >>> wildcard.securesites.com.csr >>> olcTLSCertificateKeyFile: >>> /ect/openldap/cacerts/**wildcard.securesites.com.key >>> ? >>> >> >> Please consult the documentation, and a primer on TLS. Your >> olcTLSCACertificateFile line probably shouldn't be there. The other two >> look reasonable. >> >> >> -----Original Message----- >>> From: Dan White [mailto:[email protected]] >>> Sent: Friday, June 14, 2013 4:05 PM >>> To: Rodney Simioni >>> Cc: openldap-technical@openldap.**org <[email protected]> >>> Subject: Re: LDAP and TLS >>> >>> On 06/14/13 15:56 -0400, Rodney Simioni wrote: >>> >>>> I did a 'openssl x509 -in wildcard.securesites.com.cert -text -noout' >>>> >>>> I got 'CN=*.securesites.com' >>>> >>>> My /etc/openldap/cacerts looks like: >>>> >>>> TLS_CACERTDIR /etc/openldap/cacerts >>>> TLS_CACERT /etc/openldap/cacerts/**wildcard.securesites.com.cert >>>> URI >>>> ldap://fl1-lsh99apa007.**securesites.com/<http://fl1-lsh99apa007.securesites.com/> >>>> BASE dc=wh,dc=local >>>> >>> >>> That looks like an ldap.conf file. Your certificate should be configured >>> within your slapd config and not your client config, unless it is a self >>> signed certificate. >>> >>> See the manpage for slapd.conf or slapd-config, and the Admin Guide for >>> the appropriate TLS config. >>> >>> But when I do a ' ldapsearch -d -1 -x -LLL -ZZ', I get: >>>> >>>> ldap_create >>>> ldap_extended_operation_s >>>> ldap_extended_operation >>>> ldap_send_initial_request >>>> ldap_new_connection 1 1 0 >>>> ldap_int_open_connection >>>> ldap_connect_to_host: TCP >>>> fl1-lsh99apa007.securesites.**com:389<http://fl1-lsh99apa007.securesites.com:389> >>>> ldap_new_socket: 3 >>>> ldap_prepare_socket: 3 >>>> ldap_connect_to_host: Trying 10.227.2.90:389 >>>> ldap_pvt_connect: fd: 3 tm: -1 async: 0 >>>> ldap_close_socket: 3 >>>> ldap_err2string >>>> ldap_start_tls: Can't contact LDAP server (-1) >>>> >>> >>> -----Original Message----- >>>> From: Dan White [mailto:[email protected]] >>>> Sent: Friday, June 14, 2013 3:45 PM >>>> To: Rodney Simioni >>>> Cc: openldap-technical@openldap.**org <[email protected]> >>>> Subject: Re: LDAP and TLS >>>> >>>> On 06/14/13 14:42 -0400, Rodney Simioni wrote: >>>> >>>>> Hi, >>>>> >>>>> In order to for LDAP to work with TLS, does the certificate names need >>>>> to match the server name? >>>>> >>>>> My admin gave me a certificate but it's called wildcard.com.cert, the >>>>> name of my server is not 'wildcard'. >>>>> >>>> >>>> Analyze the contents of the cert and verify the CN is really '*. >>>> example.com': >>>> >>>> openssl x509 -in wildcard.com.cert -text -noout >>>> >>>> If so, then your LDAP clients probably will accept it as a valid >>>> certificate (this typically works for web browsers), but your mileage >>>> may vary. >>>> >>>> We have worked with a wild card certificate provider before. In >>>> addition to offering a *.example.com cert, they may also offer a >>>> certain number of tertiary certificates (e.g. ldap.example.com) priced >>>> in with the wild card cert. >>>> >>> >>> -- >>> Dan White >>> >>> >>> This email message is intended for the use of the person to whom it has >>> been sent, and may contain information that is confidential or legally >>> protected. If you are not the intended recipient or have received this >>> message in error, you are not authorized to copy, distribute, or otherwise >>> use this message or its attachments. Please notify the sender immediately >>> by return e-mail and permanently delete this message and any attachments. >>> Verio Inc. makes no warranty that this email is error or virus free. Thank >>> you. >>> >>> >> -- >> Dan White >> BTC Broadband >> Network Admin Lead >> Ph 918.366.0248 (direct) main: (918)366-8000 >> Fax 918.366.6610 email: [email protected] >> http://www.btcbroadband.com >> >> > > > -- > Jason K. Brandt > Systems Administrator > Bradley University > (309) 677-2958 > -- http://linuxmantra.com
