[ldap] Re: ldapsearch with TLS - client failing to verify server
Re-read the ldap.conf(5) manpage or the OpenLDAP Admin Guide. Your cacerts directory is not configured correctly for use with the TLS_CACERTDIR directive. Thanks Howard, I will do so today. Do you have any specific recommendations? I'm using a stock Fedora Core 4 box, so they're the ones that set up the /etc/openldap/cacerts directory. When you enable LDAP authentication with TLS within Fedora, they simply say remember to copy the cacert.pem file which signed your server cert to this client's /etc/openldap/cacerts directory. -- Fran Fabrizio Senior Systems Analyst Department of Computer and Information Sciences University of Alabama at Birmingham http://www.cis.uab.edu/ 205.934.0653 --- You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
[ldap] Re: ldapsearch with TLS - client failing to verify server
On 9/1/06 10:44 AM, Fran Fabrizio wrote: Unfortunately, I had been using the ldap.conf man page instead, which conveniently completely omits the part about the directory needing to be managed by c_rehash. :-/ You can simulate the c_rehash function with the following set of commands (I put these in a Makefile on my RHEL3 systems): find . -type l | xargs rm for i in `find . -type f | grep -v Makefile`; do \ j=`basename $$i`; \ ln -s $$j `openssl x509 -hash -noout $$j`.0 ; \ done -- Frank Swasey| http://www.uvm.edu/~fcs Sr Systems Administrator| Always remember: You are UNIQUE, University of Vermont |just like everyone else. I am not young enough to know everything. - Oscar Wilde (1854-1900) smime.p7s Description: S/MIME Cryptographic Signature --- You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
[ldap] Re: ldapsearch with TLS - client failing to verify server
Fran Fabrizio wrote: Re-read the ldap.conf(5) manpage or the OpenLDAP Admin Guide. Your cacerts directory is not configured correctly for use with the TLS_CACERTDIR directive. Thanks Howard, I will do so today. Do you have any specific recommendations? I'm using a stock Fedora Core 4 box, so they're the ones that set up the /etc/openldap/cacerts directory. When you enable LDAP authentication with TLS within Fedora, they simply say remember to copy the cacert.pem file which signed your server cert to this client's /etc/openldap/cacerts directory. There are a tiny few good 3rd party documents on using OpenLDAP, but in general, you're better off going to official documentation from the OpenLDAP Project (e.g. the Admin Guide) first. The majority of people out there writing their HOWTOs and relating how they set things up have no idea what they're talking about. The abysmal state of OpenLDAP on Red Hat/Fedora releases tells me that they're by no means paragons of OpenLDAP expertise. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sunhttp://highlandsun.com/hyc OpenLDAP Core Teamhttp://www.openldap.org/project/ --- You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
[ldap] Re: ldapsearch with TLS - client failing to verify server
Howard Chu wrote: Fran Fabrizio wrote: Re-read the ldap.conf(5) manpage or the OpenLDAP Admin Guide. Your cacerts directory is not configured correctly for use with the TLS_CACERTDIR directive. Thanks Howard, I will do so today. Do you have any specific recommendations? I'm using a stock Fedora Core 4 box, so they're the ones that set up the /etc/openldap/cacerts directory. When you enable LDAP authentication with TLS within Fedora, they simply say remember to copy the cacert.pem file which signed your server cert to this client's /etc/openldap/cacerts directory. PS: Anybody who actually tried to use things the way Fedora says would have run into the same problem you did. It's a well documented feature of the OpenSSL library, going back to the original release. To an innocent observer it would appear that they're just making stuff up and tossing it out there without actually testing it. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sunhttp://highlandsun.com/hyc OpenLDAP Core Teamhttp://www.openldap.org/project/ --- You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
[ldap] Re: ldapsearch with TLS - client failing to verify server
From: Fran Fabrizio [EMAIL PROTECTED] Date: Thu, 31 Aug 2006 15:03:28 -0500 X-Message-Number: 2 I'm trying to configure TLS to verify the server cert. It's failing with this: ]# ldapsearch -Z -h throne.cis.uab.edu -x ldap_start_tls: Connect error (91) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ldap_bind: Can't contact LDAP server (81) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [EMAIL PROTECTED] openldap]# The cacert.pem on the client looks like this: # pwd /etc/openldap/cacerts # ls -l total 4 -rw-r--r-- 1 root root 1350 Aug 31 14:40 cacert.pem # openssl x509 -in cacert.pem -text The client has in /etc/openldap/ldap.conf: tls_reqcert try TLS_CACERTDIR /etc/openldap/cacerts It looks like everything is in order. Re-read the ldap.conf(5) manpage or the OpenLDAP Admin Guide. Your cacerts directory is not configured correctly for use with the TLS_CACERTDIR directive. -- Fran Fabrizio Senior Systems Analyst Department of Computer and Information Sciences University of Alabama at Birmingham http://www.cis.uab.edu/ 205.934.0653 -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sunhttp://highlandsun.com/hyc OpenLDAP Core Teamhttp://www.openldap.org/project/ --- You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.