[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL client certificate question and bdb_dn2id_matched question

To: Bradley Scutvick <brad@bytewise.net>
Subject: Re: SSL client certificate question and bdb_dn2id_matched question
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 13 Jan 2003 18:49:37 +0100
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3E22C6B8.6030008@bytewise.net>
Organization:
References: <3E22C6B8.6030008@bytewise.net>

man, 2003-01-13 kl. 15:01 skrev Bradley Scutvick:

> I'm new to the exciting world of ldap, I just got SSL working but I 
> still haven't connected completely to the server.

You're getting there, and won't be licked for long, now ;)

> was to actually install what I assume are the CA and server certs (the 
> files cert7.db and key3.db, gleaned from a netscape visit to 
> https://myserver.com:636) on my client (Softerra LDAP browser).  What I 
> don't understand is why the hell this made everything work, to a point, 
> when there's a directive in my slapd.conf: TLSVerifyClient never, that I 
> assumed meant slapd doesn't bother with client certs.  Any help 
> understanding this would be great.  I suspect it has more to do with SSL 
> than LDAP, but humor me please.

Yes, this is all Openssl stuff. No Netscape, no PKCS#12.

Unless you as serveradmin insist on client certs, these will not be
used. Client certs are not necessary for pure encryption.

For what is normal SSL or TLS (different things, same result), you need
a server public key signed by a (any) CA (your own, if you wish, nothing
will barf as it does in Netscape or IE), with the ultimate proviso that
the hostname of your server (Linux 'hostname -f')  agrees completely
with the subject of the public key. Both have to be .pem format. You can
find out the subject you have given (if you've arranged for the CSR
signing request cert. request) by doing 'openssl x509 -in certname.pem
-noout -text' in the public key directory.

CA, public and private key paths into slapd.conf. Path to private key
MUST be readable ONLY by server UID. Path to public key MAY be read by
all. Path to CA cert MUST be readable by all.

CA cert path into /etc/ldap.conf (at the bottom) or ldaprc or ~/.ldaprc.

If you don't know how to make CA-signed certs, yet have Apache/mod_ssl,
use those certs. Likewise FreeS/WAN, but then you know how to, with a
vengeance :)

GOTCHAS: The most common, is that your FQDN ('hostname -f') does not
agree with the subject of the public key. Next, is that the cert paths
aren't readable, where necessary.

Best,

Tony

--

> 
> 2. Now I get to this debug message and resultant error 49:
> 
> => bdb_dn2id_matched( "cn=admin,dc=test1,dc=dns" )
> <= bdb_dn2id_matched: no match
> 
> with these slapd.conf lines
> 
> database        bdb
> suffix          "dc=test1,dc=dns"
> rootdn          "cn=admin,dc=test1,dc=dns"
> rootpw          tDCzXHLJSMYIuAhxeQFeJYrZ5wHqOrty
> directory       /usr/local/openldap/var/openldap-data
> 
> Is there some other way you have to add a user id to bdb or something? 
> I admit I haven't spent a lot of time on this one.  If I've left out key 
> debug or config lines, please let me know and I'll post them, and thank 
> you very much in advance for any help.
> 
> -Brad
-- 

Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl

Follow-Ups:
- RE: SSL client certificate question and bdb_dn2id_matched question
  - From: "Simon Liebold" <s.liebold@gmx.de>

References:
- SSL client certificate question and bdb_dn2id_matched question
  - From: Bradley Scutvick <brad@bytewise.net>

Prev by Date: Re: I am confused
Next by Date: Re: how to check uniqueness of uidNumber ?
Index(es):
- Chronological
- Thread