[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Client says Can't contact LDAP server, but it can!

To: openldap-technical@openldap.org
Subject: Re: Client says Can't contact LDAP server, but it can!
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Fri, 25 Jul 2008 10:26:13 +0200
Cc: John Oliver <joliver@john-oliver.net>
Content-disposition: inline
In-reply-to: <20080724232939.GA12922@ns.sdsitehosting.net>
References: <20080721153002.GA12884@ns.sdsitehosting.net> <6649A8FB7C303A074FBFB4C8@[192.168.1.199]> <20080724232939.GA12922@ns.sdsitehosting.net>
User-agent: KMail/1.10.0 (Linux/2.6.26-desktop-1mnb; KDE/4.0.98; x86_64; ; )

On Friday 25 July 2008 01:29:39 John Oliver wrote:
> On Thu, Jul 24, 2008 at 04:20:02PM -0700, Quanah Gibson-Mount wrote:
> > --On Thursday, July 24, 2008 4:13 PM -0700 John Oliver
> >
> > <joliver@john-oliver.net> wrote:
> > >On Thu, Jul 24, 2008 at 04:04:10PM -0700, Quanah Gibson-Mount wrote:
> > >>Any client will need to know about the CA that signed your self-signed
> > >>cert.
> > >
> > >I created my certificate with:
> > >
> > >openssl req -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout
> > >/etc/openldap/ssl/ldap.pem -days 3650
> > >
> > >In slapd.conf I have:
> > >
> > >TLSCertificateFile /etc/ssl/ldap.pem
> > >TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
> > >TLSCACertificateFile /etc/ssl/ldap.pem
> > >
> > >What do I need to do differently?
> >
> > Create your own CA first?  Then sign your own certs with it.
> >
> > <http://www.tc.umn.edu/~brams006/selfsign.html>
>
> I don't understand why I must handle certs one way on one server, and
> another way on the other.  The self-signed cert works just fine on the
> other, and I foresee problems if one is self-signed and the other
> isn't...

No more than having them both self-singed.

> one day, there's going to be some bizzare SSL issue that'll
> have me tearing my hair out for a week, until someone finally discovers
> what's going on and says "You fscking dummy, why the hell are you doing
> this?"

No more likely than someone asking the same questions about actually using 
self-signed certs at all.

> And I'm not particularly keen to break the working server so it can be
> in the same state of borkenness as the one I'm fighting now.
>
> It would be absolutely fantastic if someone could tell me why one
> self-signed cert works and the other doesn't.

It would be more fantastic if you could actually provide more details of your 
environment, up to now we've not known that you have more than one server, and 
we don't know how your clients are set up.

For example, if you have multiple servers and multiple clients, you really are 
defeating the point of SSL and increasing your administrative burden by not 
creating a CA cert.

Now, if you need to re-create a cert, you will have to update the "CA cert" on 
all clients. If you add another server, you will have to append the new 
server's cert to the "CA cert".

However, IMHO, this is starting to get off-topic even for this list, almost 
none of this is specific to OpenLDAP, it would be equally applicable to 
Apache/Firefox3 or IIS/IE7 (with their new draconian cert validation 
"features").

Regards,
Buchan

References:
- Client says Can't contact LDAP server, but it can!
  - From: John Oliver <joliver@john-oliver.net>
- Re: Client says Can't contact LDAP server, but it can!
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: Client says Can't contact LDAP server, but it can!
  - From: John Oliver <joliver@john-oliver.net>

Prev by Date: Re: Setting up syncrepl, replicated LDAP doesn't work
Next by Date: Re: openLDAP, DCHP and DNS
Index(es):
- Chronological
- Thread