[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Authentication using LDAP and NDS



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Tony Earnshaw

> tir, 2002-11-05 kl. 06:17 skrev Alison Smith:
>
> > I hope this isn't a really silly question and that I am
> sending this to the correct list!
>
> It's not silly, I too hope that this is the correct list.

I'd call it borderline and let it fly...

> > I have been told that the servers require SSL, and have
> been given a root certificate (in DER format). This needs to
> be imported as a "trusted root certificate" on my server.
> This is where I run into problems, I have no idea how to
> import it as a trusted root certificate?

> > Does anyone have any ideas as to where I might start looking?

Once you've converted your cert from DER to PEM format as Tony described, you
should follow up with the Using TLS chapter of the 2.1 Admin Guide.
http://www.openldap.org/doc/
>
> Without going to the hassle of running slapd at d -1, I tried my DER
> encoded CA certificate (since that's what Novell means by "root
> certificate") and it didn't work with the 2.1.8 slapd.
>
> At the very least, you'll have to make a PEM encoded CA/root
> certificat
> and use that.
>
> Put your Novell certificate in a directory, cd to that
> directory and do:
> 'openssl x509 -inform DER -in name-of-the-certificate.der -out
> name-of-the-certificate.pem -outform PEM' (man x509) and chmod 644
> certificate.pem.

Yes.

> Copy that certificate to your CA certificate directory and do
> all public
> key/certificate request signing with it. Make sure your
> Openldap clients use that certificate too!

Yes.

> I don't know whether Openldap can use multiple CA certs, I've never
> tried.

Yes, but as noted in the Admin Guide, a server usually only needs the CA cert
(chain) for the CA that signed its server cert. If the server is meant to
accept client certs that were signed by various CAs, then it will of course
need those CA certs as well, but typically there's only 1 CA of interest for
a server. A client may be in contact with many different servers, and will
often use many different CA certs.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support