[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Enabling TLS problem on openldap2-2.3.39



Be default, the SLES 9.3 slapd.conf defines the CA Cert like this:

    TLSCACertificatePath /etc/ssl/certs

That directory has lots of pem files in it with x509 symbolic links:

ls -C /etc/ssl/certs
Password:
052eae11.0  6f5d9899.0   d4e39186.0         ICE-root.pem    timCA.pem
18d46017.0  73912336.0   ddc328ff.0         ICE-user.pem    tjhCA.pem
1e49180d.0  7651b327.0   dsa-ca.pem         ICP-Brasil.pem  vsign1.pem
1ef89214.0  8c401b31.0   dsa-pca.pem        nortelCA.pem    vsign2.pem
1f6c59cd.0  8caad35e.0   Equifax-root1.pem  pca-cert.pem    vsign3.pem
24867d38.0  91b8190d.0   expired            RegTP-4R.pem    vsignss.pem
2edf7016.0  a99c5886.0   f3e90025.0         RegTP-5R.pem    vsigntca.pem
3ecf89a3.0  adbec561.0   f73e89fd.0         RegTP-6R.pem    YaST-CA.pem
594f1775.0  b5f329fa.0   factory.pem        rsa-cca.pem
69ea794f.0  c33a80d4.0   ICE-CA.pem         thawteCb.pem
6bee6be3.0  ca-cert.pem  ICE.crl            thawteCp.pem

I think CA certs is set up correctly.  Am I wrong about that?

    Do I have to move /etc/openldap/server.{crt,key} to /etc/ssl/certs?

    Do I have to create turn /etc/openldap/server.{crt,key} into a .pem
file?

    Do I have to create x509 symbolic links from
/etc/openldap/server.{crt,key} to /etc/ssl/certs?

Thanks for your help.

----
Not all who wander are lost.

                          |     ----  ___o  |  chuck.keagle@boeing.com
Chuck Keagle              |  -------  \ <,  |  Work:  (425) 865-1488
Enterprise Servers:  HPC  |  ----- ( )/ ( ) |  Cell:  (425) 417-3434
 

> -----Original Message-----
> From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] 
> Sent: Friday, November 16, 2007 6:28 PM
> To: Keagle, Chuck; openldap-software@openldap.org
> Subject: Re: Enabling TLS problem on openldap2-2.3.39
> 
> --On Friday, November 16, 2007 5:01 PM -0800 "Keagle, Chuck" 
> <chuck.keagle@boeing.com> wrote:
> 
> > I'm configuring slapd to use TLS.  First I just want to 
> make it work, 
> > then I'll go into requiring encryption.
> >
> > The system is SLES 9.3
> > The openldap2 is 2.3.39
> > Other certifictes are in /etc/ssl/certs as specified by default in 
> > slapd.conf for openldap2 2.3.39.
> >
> > The database is currently empty, just getting started.
> >
> > Generated a self-signed x509 certificate
> > 	cd /etc/openldap
> > 	openssl genrsa 1024 >server.key
> > 	chmod 0440 server.key
> > 	chown root:ldap server.key
> > 	openssl req -new -key server.key -x509 -days 100 -out server.crt
> > 		Entered all the important stuff
> > 	chmod 0444 server.crt
> >
> > Checked certificate and it looked acceptable
> > 	openssl x509 -text -in server.crt
> >
> > Changed following lines in slapd.conf:
> > 	TLSCertificateFile /etc/openldap/server.crt
> > 	TLSCertificateKeyFile /etc/openldap/server.key
> 
> 
> You failed to set the CA Cert directive in slapd.conf, so it 
> has no way of presenting its CA cert.
> 
> --Quanah
> 
> --
> 
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra ::  the leader in open source messaging and collaboration
>