[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldaps and Active Directory

To: "Marco D'Ettorre" <marco.dettorre@sys-net.it>
Subject: Re: ldaps and Active Directory
From: Howard Chu <hyc@symas.com>
Date: Mon, 12 Dec 2005 01:26:29 -0800
Cc: Grant Sturgis <gesturgis@hotmail.com>, OpenLDAP-software@OpenLDAP.org
In-reply-to: <439D34FE.1080008@sys-net.it>
References: <BAY106-F31B3550EE7DC3EF8F5DA21B0420@phx.gbl> <439D34FE.1080008@sys-net.it>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051209 SeaMonkey/1.5a

Marco D'Ettorre wrote:

Add TLS_REQCERT try (or "allow" or "never") in your ldap.conf. The default is "demand" (or "hard"), then you are trying to verify server certificate. See ldap.conf (5)

NO. That simply allows the certificate errors to be ignored. They've gone to the trouble of exporting the CA cert, the correct thing to do here is to tell them how to use the CA cert properly.

Please re-read the Admin Guide http://www.openldap.org/doc/admin23/tls.html sections 12.2.1.1, 12.2.1.2, 12.2.2.1, and 12.2.2.2. Note that you are not supposed to use both the TLS_CACERTDIR and TLS_CACERT options, just use one or the other.

Run ldapsearch with "-d7" and see what the actual TLS error messages are. Also run slapd with "-d7" and see the TLS messages on the server side. Don't go changing options at random, find out what the real problem is.

Grant Sturgis wrote:
Greetings List,
I am attempting to get ldap authentication to Active Directory working from our RHEL 4 systems. I have read the several articles and howto documents out there and am very close to getting everything working.

pam_ldap and nss_ldap is working well with unencrypted ldap, as is ldapsearch queries. The next step is getting ldaps to work, and I am hoping for some suggestions from the list to get me over the hump.
RHEL ES 4 fully patched (up2date)
W2K SP4
This works fine:
ldapsearch -x -H ldap://server.domain.com/ -D cn=ldap,ou=Users-OU,dc=domain,dc=com -W ""
but changing ldap to ldaps results in this error:
ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I have installed Certificate Services on the W2K domain controller and exported the CA Cert and copied the file to the linux box:/etc/openldap/cacerts. In /etc/openldap/ldap.conf I have tried:
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/cacert.pem
Any suggestions would be greatly appreciated.
Grant
------------------

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/

References:
- ldaps and Active Directory
  - From: "Grant Sturgis" <gesturgis@hotmail.com>
- Re: ldaps and Active Directory
  - From: "Marco D'Ettorre" <marco.dettorre@sys-net.it>

Prev by Date: Re: Slow adding attributes to a entry with many attributes
Next by Date: Re: Pb to import a ldif file
Index(es):
- Chronological
- Thread