[Fedora-directory-users] TLS for dummies
Craig White
craigwhite at azapple.com
Fri Dec 9 19:05:18 UTC 2005
Just basic stuff...I promise I have been through the wiki and the
Administrator's guide (managing SSL and SASL) several times.
Using openssl generated CA certificate and used that to sign CSR's from
console application and loaded them all into console application. Have
restarted FDS and it seems to be happy - but just to confirm...
lifted from /opt/fedora-ds/slapd-srv1/logs/errors
[09/Dec/2005:08:33:47 -0700] - Fedora-Directory/1.0.1 B2005.342.165
starting up
[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in
backend userRoot, attempting to create one...
[09/Dec/2005:08:33:47 -0700] - Key for cipher AES successfully generated
and stored
[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher 3DES in
backend userRoot, attempting to create one...
[09/Dec/2005:08:33:47 -0700] - Key for cipher 3DES successfully
generated and stored
[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in
backend NetscapeRoot, attempting to create one...
[09/Dec/2005:08:33:48 -0700] - Key for cipher AES successfully generated
and stored
[09/Dec/2005:08:33:48 -0700] - No symmetric key found for cipher 3DES in
backend NetscapeRoot, attempting to create one...
[09/Dec/2005:08:33:48 -0700] - Key for cipher 3DES successfully
generated and stored
[09/Dec/2005:08:33:48 -0700] - slapd started. Listening on All
Interfaces port 389 for LDAP requests
[09/Dec/2005:08:33:48 -0700] - Listening on All Interfaces port 636 for
LDAPS requests
MY PROBLEM
# ldapsearch -ZZ '(uid=jim)'
ldap_start_tls: Connect error (-11)
additional info: Start TLS request accepted.Server willing to
negotiate SSL.
# tail -n4 /opt/fedora-ds/slapd-srv1/logs/access
[09/Dec/2005:11:55:26 -0700] conn=83 op=5 fd=68 closed - U1
[09/Dec/2005:12:00:58 -0700] conn=84 fd=68 slot=68 connection from
127.0.0.1 to 127.0.0.1
[09/Dec/2005:12:00:58 -0700] conn=84 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[09/Dec/2005:12:00:58 -0700] conn=84 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[09/Dec/2005:12:00:58 -0700] conn=84 op=-1 fd=68 closed - Encountered
end of file.
# tail -n 7 /etc/openldap/ldap.conf
URI ldap://srv1.clsurvey.com
HOST srv1.clsurvey.com
BASE dc=clsurvey,dc=com
TLS_CACERTDIR /etc/ssl
TLS_CACERT server.crt
pam_password md5
TLS_REQCERT allow
My thinking is that this somehow has something to do with the TLS_CACERT
in /etc/openldap/ldap.conf (the certificate for the client).
Would this be the issue?
Is there a better method for creating the client certificate from either
the CA certificate (generated by openssl) or from the FDS Server
Certificate (also generated by openssl)?
Craig
More information about the Fedora-directory-users
mailing list