[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: trouble configure TLS in LDAP





--On Monday, January 12, 2004 4:10 PM +0100 Thomas <mubis@gmx.de> wrote:

Hi @all,

I've some trouble running TLS with LDAP:

At first I created on my Linux LDAP-Server a Certificate Authority with
CA.pl -newca
with the certification cacert.pem
The result of a check with 'CA.pl -verify cacert.pem' is 'OK'

After that I created a server certificate for my LDAP-Server with
CA.pl -newcert     -> newreq.pem
and signed it with the Cerificate Authority
CA.pl -signcert    -> newcert.pem
The result of a check with 'CA.pl -verify newcert.pem' is 'OK'

In a 3rd step I deleted the password in newreq.pem with
openssl rsa -in newreq.pem -out ldapkey.pem
Here is the first error when I try a check with
'CA.pl -verify ldapkey.pem' it says:
'unable to load certificate
18032:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE'

I made a chmod 777 on the keys, no influence. Has anyone an idea what I'm
doing wrong ?


I also changed my slapd.conf with the entries: TLSCertificateFile /etc/openldap/newcert.pem TLSCertificateKeyFile /etc/openldap/ldapkey.pem TLSCACertificateFile /etc/openldap/cacert.pem

After restarting slapd a 'openssl s_client -connect localhost:389
-showcerts'  results in:
'CONNECTED(00000003)
18034:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:'


Any help would be appreciated, does someone know a good Link for a 'cookbook' for TLS with LDAP ?

Yes, the openldap-software archives -- search on self-signed certs. You have to tell OpenLDAP to trust a self-signed CA.


--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html