[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP and TLS

So you are saying remove those TLS lines from /etc/openldap/ldap.conf and put them in the ldif file as:

olcTLSCACertificateFile: /etc/openldap/cacerts/wildcard.securesites.com.cert
olcTLSCertificateFile: /etc/openldap/cacerts/wildcard.securesites.com.csr
olcTLSCertificateKeyFile: /ect/openldap/cacerts/wildcard.securesites.com.key ?

usaims
-----Original Message-----
From: Dan White [mailto:dwhite@olp.net] 
Sent: Friday, June 14, 2013 4:05 PM
To: Rodney Simioni
Cc: openldap-technical@openldap.org
Subject: Re: LDAP and TLS

On 06/14/13 15:56 -0400, Rodney Simioni wrote:
>I did a 'openssl x509 -in wildcard.securesites.com.cert -text -noout'
>
>I got 'CN=*.securesites.com'
>
>My /etc/openldap/cacerts looks like:
>
>TLS_CACERTDIR /etc/openldap/cacerts
>TLS_CACERT /etc/openldap/cacerts/wildcard.securesites.com.cert
>URI ldap://fl1-lsh99apa007.securesites.com/
>BASE dc=wh,dc=local

That looks like an ldap.conf file. Your certificate should be configured within your slapd config and not your client config, unless it is a self signed certificate.

See the manpage for slapd.conf or slapd-config, and the Admin Guide for the appropriate TLS config.

>But when I do a ' ldapsearch -d -1 -x -LLL -ZZ', I get:
>
>ldap_create
>ldap_extended_operation_s
>ldap_extended_operation
>ldap_send_initial_request
>ldap_new_connection 1 1 0
>ldap_int_open_connection
>ldap_connect_to_host: TCP fl1-lsh99apa007.securesites.com:389
>ldap_new_socket: 3
>ldap_prepare_socket: 3
>ldap_connect_to_host: Trying 10.227.2.90:389
>ldap_pvt_connect: fd: 3 tm: -1 async: 0
>ldap_close_socket: 3
>ldap_err2string
>ldap_start_tls: Can't contact LDAP server (-1)

>-----Original Message-----
>From: Dan White [mailto:dwhite@olp.net]
>Sent: Friday, June 14, 2013 3:45 PM
>To: Rodney Simioni
>Cc: openldap-technical@openldap.org
>Subject: Re: LDAP and TLS
>
>On 06/14/13 14:42 -0400, Rodney Simioni wrote:
>>Hi,
>>
>>In order to for LDAP to work with TLS, does the certificate names need 
>>to match the server name?
>>
>>My admin gave me a certificate but it's called wildcard.com.cert, the 
>>name of my server is not 'wildcard'.
>
>Analyze the contents of the cert and verify the CN is really '*.example.com':
>
>openssl x509 -in wildcard.com.cert -text -noout
>
>If so, then your LDAP clients probably will accept it as a valid 
>certificate (this typically works for web browsers), but your mileage 
>may vary.
>
>We have worked with a wild card certificate provider before. In 
>addition to offering a *.example.com cert, they may also offer a 
>certain number of tertiary certificates (e.g. ldap.example.com) priced 
>in with the wild card cert.

--
Dan White


This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free.  Thank you.