LDAP SSL Problems (was: service script (/etc/init.d/ldap))

Daniel B. Thurman dant at cdkkt.com
Mon Nov 14 22:53:44 UTC 2005


>From: fedora-list-bounces at redhat.com
>[mailto:fedora-list-bounces at redhat.com]On Behalf Of Craig White
>Sent: Monday, November 14, 2005 11:58 AM
>To: For users of Fedora Core releases
>Subject: RE: LDAP SSL Problems (was: service script (/etc/init.d/ldap))
>
>
>On Mon, 2005-11-14 at 11:25 -0800, Daniel B. Thurman wrote:
>
>> I think there is a perhaps a problem in the way I have
>> created ssl certificates and may not have done it properly.
>> I would like to request instructions for creating the slapd.pem
>> file please?  I used to do this the old way and had a hard
>> time trying to seperate the CA cert, unsigned cert/key and
>> signed certs - so I dont know which one to use for ldap!
>----
>this is what I use...YMMV
>
>#### generate openldap certificate ####
>openssl req -config /usr/share/ssl/openssl.cnf -new -x509 -days 3650 \
>-key ca.key -out ca.cert
>openssl genrsa -out ldap.key 1024
>openssl req -config /usr/share/ssl/openssl.cnf -new -key ldap.key \
>-out ldap.csr
>openssl x509 -req -in ldap.csr -out ldap.cert -CA ca.cert -CAkey \
>ca.key -CAcreateserial -days 3650
>cp ca.cert /etc/ssl
>cp ca.key /etc/ssl
>cp ldap.key /etc/ssl
>cp ldap.csr /etc/ssl
>----
>> 
>> I noticed that there has been a change from what I am used
>> to and that there is a new location for certificates and it is
>> at: /etc/pki/tls specifically.  I tried all kinds of ways to
>> get this to work and it appears that for some reason, the ldap
>> programs is unable to find the certificate.
>> 
>> I added TLS* directives in /etc/ldap.conf and in
>> /etc/openldap/slapd.conf (why the redunancy?) and put my created
>> certs in the /etc/openldap/cacerts directory.
>> 
>> It appears from the ldapsearch debug output, that it will
>> only search for certificates in /etc/pki/tls directory and
>> in *maybe* in /etc/openldap/cacerts (see the '#' in front
>> of that directory in the debug output.  From the debug output,
>> it is not clear as to WHAT dir/file was attempted to be opened.
>----
>there is the server certs and the client certs and the CA - 
>they are not
>necessarily the same. The server certs are as directed
>in /etc/openldap/slapd.conf and the client certs in typically in
>ldap.conf (perhaps both /etc/ldap.conf and /etc/openldap/ldap.conf) as
>the former is for padl stuff and the latter is for openldap 
>client stuff
>such as ldapsearch
>----
>> 
>> Here is the debug output I got:
>> 
>> # ldapsearch -d -1 -H ldaps://ldap.cdkkt.com -b dc=cdkkt,dc=com -x
>> ldap_create
>> ldap_url_parse_ext(ldaps://ldap.cdkkt.com)
>> ldap_bind_s
>> ldap_simple_bind_s
>> ldap_sasl_bind_s
>> ldap_sasl_bind
>> ldap_send_initial_request
>> ldap_new_connection
>> ldap_int_open_connection
>> ldap_connect_to_host: TCP ldap.cdkkt.com:636
>> ldap_new_socket: 3
>> ldap_prepare_socket: 3
>> ldap_connect_to_host: Trying 216.99.218.205:636
>> ldap_connect_timeout: fd: 3 tm: -1 async: 0
>> ldap_ndelay_on: 3
>> ldap_is_sock_ready: 3
>> ldap_ndelay_off: 3
>> TLS: could not load client CA list 
>(file:`',dir:`/etc/pki/tls/slapd.pem # /etc/openldap/cacerts').
>> TLS: error:0200A002:system library:opendir:No such file or 
>directory ssl_cert.c:752
>> TLS: error:140D7002:SSL 
>routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:754
>> ldap_perror
>> ldap_bind: Can't contact LDAP server (-1)
>> 
>> So what does it all mean?  What file was attempted and why is it
>> that my TLS* directives are seemingly ignored in both places
>> specificed in /etc/ldap.conf and in /etc/openldap/slapd.conf?
>----
>I don't know...I'm not one to debug openssl
>----
>> 
>> I even copied to put my certificate in /etc/pki/tls/slapd.pem
>> since no slapd.pem existed there and oddly enough, a slapd.pem
>> did exists in: /etc/pki/tls/certs/slapd.pem - supposedly created
>> when I setup kerberos!
>> 
>> Something is royally screwed up somewhere!  Please help!
>----
>You might want to contact ldap at umich.edu or ldap-interop list
>http://lists.fini.net/mailman/listinfo/ldap-interop
>
>You also might want to look through Turbo's guide (software projects)
>
>http://www.bayour.com/
>
>Craig
>
>

Um, I tried your method for creating certs and it does
not work in FC4 - I think you might be surprised that
the "old way of doing things" has changed.  This is what
I was trying to tell you earlier.

First off, there is no /etc/ssl directory - I think this
is now /etc/pki

Second, the openssl is looking for /usr/share/ssl/openssl.cnf
of which /etc/share/ssl is no longer there.  I think they moved
things around so that openssl.cnf is now in /etc/pki/tls so
in order to get openssl to work, you may now need to define
where the openssl.cnf file on the command line.

openssl is probably being moved around.  I have NO CLUE what
is going on with openssl and FC4 - perhaps it is still a work
in progress.  dunno.

Another thing,  when I was doing kerberos and got it running,
there is a definite bug in /etc/init.d/ldap, line 74 where
kinit was not found.  The '$' was missing so that it should
be $kinit and not stand-alone kinit since the script does not
have the full pathname to kinit.

FC4 has a little ways to go to get things right again... sigh.

I will play around some more before I give it up altogther.

Thanks for your help tho!

Dan

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.0/167 - Release Date: 11/11/2005
 




More information about the fedora-list mailing list