[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Client - Server Authentication Using Certificates

To: Laurence <Laurence.Field@cern.ch>
Subject: Re: Client - Server Authentication Using Certificates
From: Igor Brezac <igor@ipass.net>
Date: Mon, 10 May 2004 13:40:49 -0400 (EDT)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <409FB149.8070008@cern.ch>
References: <409BBAF5.40005@cern.ch> <Pine.GSO.4.58.0405071312380.2467@pula.ypass.net> <409FB149.8070008@cern.ch>

On Mon, 10 May 2004, Laurence wrote:

> Hi,
>
> Thanks for your reply, that was exactly what I needed!
>
> I have spent today trying to implement this and have come across two
> small problems and hence questions.
>
> Please note that I have substituted my actual hostname for host.invalid.
>
> The first problem is with my certificate. Due to the computing policy we
> have here, the CN in the subject of the certificate is
> CN=host/host.invalid and hence when I try to  do the ldapsearch I obtain
> the following error message.
>
> TLS: hostname (host.invalid) does not match common name in certificate
> (host/host.invalid).
>
> The first question would be, is it possible to "tune" this with the ldap
> configuration or does it make an assumption that the name on the
> certificate has to be the same as the hostname.

This is not configurable to my knowledge.

> To get past this problem I created my own CA and created a certificate
> with CN=host.invalid.
>
> This seamed to get me a little further but it failed with the following
> error.
>
> ldap_interactive_sasl_bind_s: server supports: PLAIN LOGIN
> ldap_int_sasl_bind: PLAIN LOGIN
> ldap_perror
> ldap_sasl_interactive_bind_s: Unknown authentication method
>
> So I guess that there is still something wrong with the configuration
> but even after reading chapter 10 and 11 of the admins guide I can't
> work out what needs to be done. What I am trying to do is  give the ldap
> database global read access but only letting the client with a certain
> certificate write data.
>
> So my second questions is what do I need to add to the configuration to
> enable this to be done. I have append the relevant lines from the
> configuration files to the end of this mail.
>
> Thanks for you help.
>
> Laurence
>
> ldap.conf
>
> TLS_CACERT /etc/grid-security/certificates/fa3af1d7.0
> TLS_CERT /etc/grid-security/hostcert.pem
> TLS_KEY /etc/grid-security/hostkey.pem
>
>
> slapd.conf
>
> TLSCACertificateFile /etc/grid-security/certificates/fa3af1d7.0
> TLSCertificateFile /etc/grid-security/hostcert.pem
> TLSCertificateKeyFile /etc/grid-security/hostkey.pem
> TLSVerifyClient demand

This will not work unless the hostcert.pem subject is a valid DN.  You
probably need to generate a separate client cert (for ldap.conf).

-- 
Igor

Follow-Ups:
- RE: Client - Server Authentication Using Certificates
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- Client - Server Authentication Using Certificates
  - From: Laurence <Laurence.Field@cern.ch>
- Re: Client - Server Authentication Using Certificates
  - From: Igor Brezac <igor@ipass.net>
- Re: Client - Server Authentication Using Certificates
  - From: Laurence <Laurence.Field@cern.ch>

Prev by Date: Re: OpenLDAP slapd replication
Next by Date: Re: Client - Server Authentication Using Certificates
Index(es):
- Chronological
- Thread