[Date Prev][Date Next]
Re: Client - Server Authentication Using Certificates
On Mon, 10 May 2004, Laurence wrote:
> Thanks for your reply, that was exactly what I needed!
> I have spent today trying to implement this and have come across two
> small problems and hence questions.
> Please note that I have substituted my actual hostname for host.invalid.
> The first problem is with my certificate. Due to the computing policy we
> have here, the CN in the subject of the certificate is
> CN=host/host.invalid and hence when I try to do the ldapsearch I obtain
> the following error message.
> TLS: hostname (host.invalid) does not match common name in certificate
> The first question would be, is it possible to "tune" this with the ldap
> configuration or does it make an assumption that the name on the
> certificate has to be the same as the hostname.
This is not configurable to my knowledge.
> To get past this problem I created my own CA and created a certificate
> with CN=host.invalid.
> This seamed to get me a little further but it failed with the following
> ldap_interactive_sasl_bind_s: server supports: PLAIN LOGIN
> ldap_int_sasl_bind: PLAIN LOGIN
> ldap_sasl_interactive_bind_s: Unknown authentication method
> So I guess that there is still something wrong with the configuration
> but even after reading chapter 10 and 11 of the admins guide I can't
> work out what needs to be done. What I am trying to do is give the ldap
> database global read access but only letting the client with a certain
> certificate write data.
> So my second questions is what do I need to add to the configuration to
> enable this to be done. I have append the relevant lines from the
> configuration files to the end of this mail.
> Thanks for you help.
> TLS_CACERT /etc/grid-security/certificates/fa3af1d7.0
> TLS_CERT /etc/grid-security/hostcert.pem
> TLS_KEY /etc/grid-security/hostkey.pem
> TLSCACertificateFile /etc/grid-security/certificates/fa3af1d7.0
> TLSCertificateFile /etc/grid-security/hostcert.pem
> TLSCertificateKeyFile /etc/grid-security/hostkey.pem
> TLSVerifyClient demand
This will not work unless the hostcert.pem subject is a valid DN. You
probably need to generate a separate client cert (for ldap.conf).