[389-users] OS to authenticate to DS using TLS
Doug Coats
dcoatshca at gmail.com
Wed Jun 17 14:12:20 UTC 2009
Thanks Dave - that worked.
I am still some problem with the certificates though.
If it I try this in the directory where the certificates are:
openssl s_client -connect localhost:636 -CAfile filename
I get a listing of the certificates without errors.
If I try:
ldapsearch -H ldaps://localhost:636
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
If I start the console using:
centos-idm-console -a https://127.0.0.1:9830
I have to "Accept" the certificate each time.
It looks like there may be some problem with the certificate or some setting
in DS that still needs to be switched on.
What do you think?
Thanks again for all of your help!
On Wed, Jun 17, 2009 at 7:58 AM, David (Dave) Donnan <
david.donnan at thalesgroup.com> wrote:
> Hello. I think I understand the problem.
>
> I copied the CA cert locally to /tmp/CAcert.txt
>
> I then ran 'system-config-authentication' and used a URL like the
> following (where it says 'Download CA Certificate'):
>
> file:///tmp/CAcert.txt
>
> It's a lazy man's approach but it worked.
>
> Cdlt, Dave
> --------
>
>
> And John A. Sullivan III wrote:
>
> On Tue, 2009-06-16 at 19:25 -0500, Doug Coats wrote:
>
>
> So my next hurdle I am tackling SSL certificates. I produced
> self-signed certificates and have installed them in through the
> Management Console. I can run the Management Console using a secure
> connection.
>
> Linux uses DS to authenticate (configured using System >
> Administration > Authentication and enableing LDAP support). If I try
> to "Use TLS to encrypt connection" I can't program a URL that will let
> me download the CA Certificate successfully. I hope that all made
> sence.
>
> Am I missing something? Do I need this?
>
>
> <snip>
>
>
> Sorry, I don't quite follow. I know it was a difficult to follow post
> but I did post how we set up SSL communications including the client
> side setup. We simply copied the CA cert to the clients (servers using
> LDAP for authentication) via scp - John
>
>
>
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090617/0d78a7b0/attachment.htm>
More information about the Fedora-directory-users
mailing list