[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Enabling TLS problem on openldap2-2.3.39

To: "Keagle, Chuck" <chuck.keagle@boeing.com>, "Quanah Gibson-Mount" <quanah@zimbra.com>, <openldap-software@openldap.org>
Subject: RE: Enabling TLS problem on openldap2-2.3.39
From: "Keagle, Chuck" <chuck.keagle@boeing.com>
Date: Mon, 19 Nov 2007 13:46:22 -0800
Content-class: urn:content-classes:message
In-reply-to: <0E9A8FE5719275499AA143D64E0C0FF6049909FF@XCH-NW-1V2.nw.nos.boeing.com>
References: <0E9A8FE5719275499AA143D64E0C0FF6049909FE@XCH-NW-1V2.nw.nos.boeing.com><090BE73AF1A87957DAF7DCF3@[192.168.0.198]> <0E9A8FE5719275499AA143D64E0C0FF6049909FF@XCH-NW-1V2.nw.nos.boeing.com>
Thread-index: AcgowW4dRoK00o87TMWIFAg8FGttHACF/SEgAAb5bzA=
Thread-topic: Enabling TLS problem on openldap2-2.3.39

The 2.3 Admin Guide indicates in Section 12.2.1.2 that the
TLSCACertificateFile directive can be used instead of the hash links.

If I switch to using hash links, is it OK to just cat the crt and key
file together to create a pem file?

----
Not all who wander are lost.

                          |     ----  ___o  |  chuck.keagle@boeing.com
Chuck Keagle              |  -------  \ <,  |  Work:  (425) 865-1488
Enterprise Servers:  HPC  |  ----- ( )/ ( ) |  Cell:  (425) 417-3434
 

> -----Original Message-----
> From: Keagle, Chuck 
> Sent: Monday, November 19, 2007 10:37 AM
> To: Quanah Gibson-Mount; openldap-software@openldap.org
> Subject: RE: Enabling TLS problem on openldap2-2.3.39
> 
> Be default, the SLES 9.3 slapd.conf defines the CA Cert like this:
> 
>     TLSCACertificatePath /etc/ssl/certs
> 
> That directory has lots of pem files in it with x509 symbolic links:
> 
> ls -C /etc/ssl/certs
> Password:
> 052eae11.0  6f5d9899.0   d4e39186.0         ICE-root.pem    timCA.pem
> 18d46017.0  73912336.0   ddc328ff.0         ICE-user.pem    tjhCA.pem
> 1e49180d.0  7651b327.0   dsa-ca.pem         ICP-Brasil.pem  vsign1.pem
> 1ef89214.0  8c401b31.0   dsa-pca.pem        nortelCA.pem    vsign2.pem
> 1f6c59cd.0  8caad35e.0   Equifax-root1.pem  pca-cert.pem    vsign3.pem
> 24867d38.0  91b8190d.0   expired            RegTP-4R.pem    
> vsignss.pem
> 2edf7016.0  a99c5886.0   f3e90025.0         RegTP-5R.pem    
> vsigntca.pem
> 3ecf89a3.0  adbec561.0   f73e89fd.0         RegTP-6R.pem    
> YaST-CA.pem
> 594f1775.0  b5f329fa.0   factory.pem        rsa-cca.pem
> 69ea794f.0  c33a80d4.0   ICE-CA.pem         thawteCb.pem
> 6bee6be3.0  ca-cert.pem  ICE.crl            thawteCp.pem
> 
> I think CA certs is set up correctly.  Am I wrong about that?
> 
>     Do I have to move /etc/openldap/server.{crt,key} to 
> /etc/ssl/certs?
> 
>     Do I have to create turn /etc/openldap/server.{crt,key} 
> into a .pem file?
> 
>     Do I have to create x509 symbolic links from 
> /etc/openldap/server.{crt,key} to /etc/ssl/certs?
> 
> Thanks for your help.
> 
> ----
> Not all who wander are lost.
> 
>                           |     ----  ___o  |  chuck.keagle@boeing.com
> Chuck Keagle              |  -------  \ <,  |  Work:  (425) 865-1488
> Enterprise Servers:  HPC  |  ----- ( )/ ( ) |  Cell:  (425) 417-3434
>  
> 
> > -----Original Message-----
> > From: Quanah Gibson-Mount [mailto:quanah@zimbra.com]
> > Sent: Friday, November 16, 2007 6:28 PM
> > To: Keagle, Chuck; openldap-software@openldap.org
> > Subject: Re: Enabling TLS problem on openldap2-2.3.39
> > 
> > --On Friday, November 16, 2007 5:01 PM -0800 "Keagle, Chuck" 
> > <chuck.keagle@boeing.com> wrote:
> > 
> > > I'm configuring slapd to use TLS.  First I just want to
> > make it work,
> > > then I'll go into requiring encryption.
> > >
> > > The system is SLES 9.3
> > > The openldap2 is 2.3.39
> > > Other certifictes are in /etc/ssl/certs as specified by 
> default in 
> > > slapd.conf for openldap2 2.3.39.
> > >
> > > The database is currently empty, just getting started.
> > >
> > > Generated a self-signed x509 certificate
> > > 	cd /etc/openldap
> > > 	openssl genrsa 1024 >server.key
> > > 	chmod 0440 server.key
> > > 	chown root:ldap server.key
> > > 	openssl req -new -key server.key -x509 -days 100 -out server.crt
> > > 		Entered all the important stuff
> > > 	chmod 0444 server.crt
> > >
> > > Checked certificate and it looked acceptable
> > > 	openssl x509 -text -in server.crt
> > >
> > > Changed following lines in slapd.conf:
> > > 	TLSCertificateFile /etc/openldap/server.crt
> > > 	TLSCertificateKeyFile /etc/openldap/server.key
> > 
> > 
> > You failed to set the CA Cert directive in slapd.conf, so it has no 
> > way of presenting its CA cert.
> > 
> > --Quanah
> > 
> > --
> > 
> > Quanah Gibson-Mount
> > Principal Software Engineer
> > Zimbra, Inc
> > --------------------
> > Zimbra ::  the leader in open source messaging and collaboration
> > 
> 
>

Follow-Ups:
- RE: Enabling TLS problem on openldap2-2.3.39
  - From: "Keagle, Chuck" <chuck.keagle@boeing.com>
- Re: Enabling TLS problem on openldap2-2.3.39
  - From: Howard Chu <hyc@symas.com>

References:
- Enabling TLS problem on openldap2-2.3.39
  - From: "Keagle, Chuck" <chuck.keagle@boeing.com>
- Re: Enabling TLS problem on openldap2-2.3.39
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- RE: Enabling TLS problem on openldap2-2.3.39
  - From: "Keagle, Chuck" <chuck.keagle@boeing.com>

Prev by Date: Re: openldap 2.4.6 and GSSAPI/kerberos
Next by Date: RE: Enabling TLS problem on openldap2-2.3.39
Index(es):
- Chronological
- Thread