[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Sync Replication via TLS/SSL - get bind err


On Thu, 20 Dec 2007 16:34:03 -0800
Quanah Gibson-Mount <quanah@zimbra.com> wrote:

> Just to note, we use self-signed certs @ Zimbra with OpenLDAP, we
> force TLS, and it works without a problem.  Which is why I know
> you're incorrect. ;)  And I'd hardly look to the gentoo folks as a
> source of documentation expertise when it comes to OpenLDAP.

OK, then something must be different between our setups...

What I'm doing is that I've generated an X509 self-signed CA certificate
and I'm signing all server and client certificates with that CA cert.
This CA cert is distributed to all clients' /etc/ssl/certs directory
and this way the software packages using openssl usually recognize it
and clients are able to validate the server certs and vica versa.

Now this doesn't work with OpenLDAP. It also doesn't work when I set up
the CA cert file explicitly instead of just copying it to /etc/ssl/certs
like this:

TLSCACertificateFile /etc/ssl/certs/CA.pem
TLSCertificateFile /etc/openldap/ssl/ldap-server.crt
TLSCertificateKeyFile /etc/openldap/ssl/ldap-server.key

And at the clients:

tls_cacertfile /etc/ssl/certs/CA.pem
#tls_cacertdir /etc/ssl/certs
tls_cert /etc/openldap/ssl/ldap-client.crt
tls_key /etc/openldap/ssl/ldap-client.key

Is this wrong?

I'm not saying I'm an SSL expert, I'm certainly not, nor do I think that the
Gentoo people are too much of an expert in terms of OpenLDAP or SSL. I can
only tell what my experience shows and the Gentoo people are probably also
base their HOWTOs and stuff on their real-world experiences which is
probably the reason why their advices are sometimes rather "unscientific".
IMHO people are trying to solve problems in an "unscientific" way when the
"scientific" way does not work, is too complicated, is poorly documented,
or can hardly be diagnosed because lack of logging/debugging output.
In such cases I don't think that the problem is only at the user side...