[Fedora-directory-users] TLS for dummies

Richard Megginson rmeggins at redhat.com
Fri Dec 9 19:31:15 UTC 2005 

Craig White wrote:

>Just basic stuff...I promise I have been through the wiki and the
>Administrator's guide (managing SSL and SASL) several times.
>
>Using openssl generated CA certificate and used that to sign CSR's from
>console application and loaded them all into console application. Have
>restarted FDS and it seems to be happy - but just to confirm...
>
>lifted from /opt/fedora-ds/slapd-srv1/logs/errors
>[09/Dec/2005:08:33:47 -0700] - Fedora-Directory/1.0.1 B2005.342.165
>starting up
>[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in
>backend userRoot, attempting to create one...
>[09/Dec/2005:08:33:47 -0700] - Key for cipher AES successfully generated
>and stored
>[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher 3DES in
>backend userRoot, attempting to create one...
>[09/Dec/2005:08:33:47 -0700] - Key for cipher 3DES successfully
>generated and stored
>[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in
>backend NetscapeRoot, attempting to create one...
>[09/Dec/2005:08:33:48 -0700] - Key for cipher AES successfully generated
>and stored
>[09/Dec/2005:08:33:48 -0700] - No symmetric key found for cipher 3DES in
>backend NetscapeRoot, attempting to create one...
>[09/Dec/2005:08:33:48 -0700] - Key for cipher 3DES successfully
>generated and stored
>[09/Dec/2005:08:33:48 -0700] - slapd started.  Listening on All
>Interfaces port 389 for LDAP requests
>[09/Dec/2005:08:33:48 -0700] - Listening on All Interfaces port 636 for
>LDAPS requests
>
>MY PROBLEM
># ldapsearch -ZZ '(uid=jim)'
>ldap_start_tls: Connect error (-11)
>        additional info: Start TLS request accepted.Server willing to
>negotiate SSL.
>  
>
Looks like openldap and FDS are not responding to the startTLS operation 
the same way.   Try
ldapsearch -v ...
or
ldapsearch -d 1 ...

># tail -n4 /opt/fedora-ds/slapd-srv1/logs/access
>[09/Dec/2005:11:55:26 -0700] conn=83 op=5 fd=68 closed - U1
>[09/Dec/2005:12:00:58 -0700] conn=84 fd=68 slot=68 connection from
>127.0.0.1 to 127.0.0.1
>[09/Dec/2005:12:00:58 -0700] conn=84 op=0 EXT
>oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>[09/Dec/2005:12:00:58 -0700] conn=84 op=0 RESULT err=0 tag=120
>nentries=0 etime=0
>[09/Dec/2005:12:00:58 -0700] conn=84 op=-1 fd=68 closed - Encountered
>end of file.
>
># tail -n 7 /etc/openldap/ldap.conf
>URI     ldap://srv1.clsurvey.com
>HOST    srv1.clsurvey.com
>BASE dc=clsurvey,dc=com
>TLS_CACERTDIR /etc/ssl
>TLS_CACERT server.crt
>pam_password md5
>TLS_REQCERT allow
>
>My thinking is that this somehow has something to do with the TLS_CACERT
>in /etc/openldap/ldap.conf (the certificate for the client).
>
>Would this be the issue?
>
>Is there a better method for creating the client certificate from either
>the CA certificate (generated by openssl) or from the FDS Server
>Certificate (also generated by openssl)?
>
>Craig
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20051209/0525d9ec/attachment.bin>

More information about the Fedora-directory-users mailing list