[Date Prev][Date Next]
Re: Client says Can't contact LDAP server, but it can!
On Friday 25 July 2008 01:29:39 John Oliver wrote:
> On Thu, Jul 24, 2008 at 04:20:02PM -0700, Quanah Gibson-Mount wrote:
> > --On Thursday, July 24, 2008 4:13 PM -0700 John Oliver
> > <firstname.lastname@example.org> wrote:
> > >On Thu, Jul 24, 2008 at 04:04:10PM -0700, Quanah Gibson-Mount wrote:
> > >>Any client will need to know about the CA that signed your self-signed
> > >>cert.
> > >
> > >I created my certificate with:
> > >
> > >openssl req -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout
> > >/etc/openldap/ssl/ldap.pem -days 3650
> > >
> > >In slapd.conf I have:
> > >
> > >TLSCertificateFile /etc/ssl/ldap.pem
> > >TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
> > >TLSCACertificateFile /etc/ssl/ldap.pem
> > >
> > >What do I need to do differently?
> > Create your own CA first? Then sign your own certs with it.
> > <http://www.tc.umn.edu/~brams006/selfsign.html>
> I don't understand why I must handle certs one way on one server, and
> another way on the other. The self-signed cert works just fine on the
> other, and I foresee problems if one is self-signed and the other
No more than having them both self-singed.
> one day, there's going to be some bizzare SSL issue that'll
> have me tearing my hair out for a week, until someone finally discovers
> what's going on and says "You fscking dummy, why the hell are you doing
No more likely than someone asking the same questions about actually using
self-signed certs at all.
> And I'm not particularly keen to break the working server so it can be
> in the same state of borkenness as the one I'm fighting now.
> It would be absolutely fantastic if someone could tell me why one
> self-signed cert works and the other doesn't.
It would be more fantastic if you could actually provide more details of your
environment, up to now we've not known that you have more than one server, and
we don't know how your clients are set up.
For example, if you have multiple servers and multiple clients, you really are
defeating the point of SSL and increasing your administrative burden by not
creating a CA cert.
Now, if you need to re-create a cert, you will have to update the "CA cert" on
all clients. If you add another server, you will have to append the new
server's cert to the "CA cert".
However, IMHO, this is starting to get off-topic even for this list, almost
none of this is specific to OpenLDAP, it would be equally applicable to
Apache/Firefox3 or IIS/IE7 (with their new draconian cert validation