[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS config question

To: <markj@gilanet.com>
Subject: Re: TLS config question
From: "Kervin L. Pierre" <kervin@blueprint-tech.com>
Date: Tue, 11 Jun 2002 11:51:49 -0400 (EDT)
Cc: <kervin@blueprint-tech.com>, <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <20020611051018.GA16834@hotdog.emsquirt.com>
References: <20020611015739.GB16114@hotdog.emsquirt.com> <3D057D83.3000105@blueprint-tech.com> <20020611051018.GA16834@hotdog.emsquirt.com>

unfortunately I can't.


The line should be...

TLS_CACERT /path/to/your/cacert


How did you create your cert?  If you used "CA.pl" or "CA.sh" then there
should be a "demoCA" directory in your ssl install directory and the ca
cert should be in there.
--Kervin


> Thanks for your reply ...
>
> I tried your suggestion, and now get:
> $  ldapsearch -H "ldaps://localhost:636" -b
> "cn=Manager,dc=mydomain,dc=com" ldap_sasl_interactive_bind_s: Can't
> contact LDAP server
> and this in the log:
> Jun 10 22:53:09 hotdog slapd[16865]: slapd starting
> Jun 10 22:53:41 hotdog slapd[16867]: daemon: conn=0 fd=9 connection
> from IP=127.0.0.1:33573 (IP=127.0.0.1:31746) accepted.  Jun 10 22:53:41
> hotdog slapd[16867]: conn=-1 fd=9 closed
>
> Couldn't locate TLS_CACERT in the ldap.conf man page. Can you point me
> toward some doc?
>
> -Mark
>
> On 06/10/02, I received this from kervin@blueprint-tech.com:
>>
>> Did you specify your cert CA in your ldap.conf on the client?  2.1 is
>> finicky { I love that word :) } about that.
>>
>> eg.
>> TLS_CACERT /ssl/slapdca.crt
>>
>> You don't need to break up the PEM file ( I think ), but you do need
>> have have the CA cert on the client side, so that the client can test
>> the validity of the cert.
>>
>>
>> --Kervin
>>
>> Mark Johnson wrote:
>> >I've installed cyrus-sasl-2.1.2 and openldap-2.0.23, set up a simple
>> >slapd.conf and test database.
>> >
>> >When I run slapd with defaults,
>> >$ ldapsearch -x -H "ldap://localhost:389"; -b
>> >"cn=Manager,dc=mydomain,dc=com"
>> >produces the expected result.
>> >
>> >Now I add these two lines to slapd.conf:
>> >TLSCertificateFile /usr/local/etc/httpd/ssl.crt/snakeoil-rsa.crt
>> >TLSCertificateKeyFile /usr/local/etc/httpd/ssl.key/snakeoil-rsa.key
>> >and run:
>> ># /usr/local/libexec/slapd -h ldaps://localhost:636
>> >
>> >But:
>> >$ ldapsearch -x -H "ldaps://localhost:636" -b
>> >"cn=Manager,dc=mydomain,dc=com"
>> >ldap_bind: Can't contact LDAP server
>> >
>> >The log shows this:
>> >Jun 10 19:16:41 hotdog slapd[16217]: slapd starting
>> >Jun 10 19:17:05 hotdog slapd[16219]: daemon: conn=0 fd=9 connection
>> >from  IP=127.0.0.1:33538 (IP=127.0.0.1:31746) accepted. Jun 10
>> >19:17:05 hotdog  slapd[16219]: conn=-1 fd=9 closed
>> >What does it mean?
>> >
>> >TIA,
>> >
>>
>>
>>
>>
>>
>
> --
>
> Mark Johnson
> markj@gilanet.com

References:
- TLS config question
  - From: Mark Johnson <markj@gilanet.com>
- Re: TLS config question
  - From: "Kervin L. Pierre" <kervin@blueprint-tech.com>
- Re: TLS config question
  - From: Mark Johnson <markj@gilanet.com>

Prev by Date: Re: LDAP - PHP
Next by Date: Changing passwords in Active Directory
Index(es):
- Chronological
- Thread