[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Client says Can't contact LDAP server, but it can!

Hi There,

I use self signed certificates with OpenLDAP, and everything works fine.
Check bellow which commands I used to create this certificate

===> Self signed certificate generation (I am using RHAS 4 Up6)
cd /usr/share/ssl 
rm -fr demoCA 
/usr/share/ssl/misc/CA -newca
openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
/usr/share/ssl/misc/CA -sign

===> putting certificate files to correct place
cp demoCA/cacert.pem /etc/openldap/cacerts/cacert.pem 
cp newcert.pem /etc/openldap/cacerts/servercrt.pem 
cp newreq.pem /etc/openldap/cacerts/serverkey.pem 
chmod 0400 /etc/openldap/cacerts/serverkey.pem 
chown -R ldap:ldap /etc/openldap/cacerts
/etc/init.d/ldap restart

===> putting public certificate files in ldap client machines
scp /etc/openldap/cacerts/cacert.pem

And set in ldap config files (in ldap client machine) the correct path

When generating certificate file, be sure to specify in hostname field
"hostname -f" output command. You can try using localhost too

I hope it helps you
Gustavo Mendes de Carvalho
email: gmcarvalho@gmail.com

Date: Mon, 28 Jul 2008 09:20:23 +0200
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Subject: Re: Client says Can't contact LDAP server, but it can!
To: openldap-technical@openldap.org
Cc: John Oliver <joliver@john-oliver.net>
Message-ID: <200807280920.33142.bgmilne@staff.telkomsa.net>
Content-Type: text/plain;  charset="iso-8859-1"

On Friday 25 July 2008 17:16:12 John Oliver wrote:
> On Fri, Jul 25, 2008 at 10:20:55AM +0200, Buchan Milne wrote:
> > On Friday 25 July 2008 01:13:37 John Oliver wrote:
> > > On Thu, Jul 24, 2008 at 04:04:10PM -0700, Quanah Gibson-Mount wrote:
> > > > Any client will need to know about the CA that signed your 
> > > > self-signed cert.
> > >
> > > I created my certificate with:
> > >
> > > openssl req -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout 
> > > /etc/openldap/ssl/ldap.pem -days 3650
> > >
> > > In slapd.conf I have:
> > >
> > > TLSCertificateFile /etc/ssl/ldap.pem TLSCertificateKeyFile 
> > > /etc/openldap/ssl/ldap.pem TLSCACertificateFile /etc/ssl/ldap.pem
> > >
> > > What do I need to do differently?
> >
> > Configure the *client* ???
> The clients work perfectly with the working server.  Why would they 
> have to have a different configuration to talk to the backup LDAP server?

They don't necessarily need a different configuration, but it being valid
for one server doesn't guarantee it will be valid for another server,
especially when it comes to ssl, certificate validation etc.

>  At the moment, I'm far more interested in getting the second LDAP 
> server working than I am in having perfect security.

Then it's easy, turn off SSL.

If you don't want to do that, turn of certificate validation. It's better
than exposing keys.

Or, ensure that the "CA certificate" that the clients use contains the
certificates of the issuer of both of the server certificates, and that the
value of the subject CN on both certificates matches the name you use to
connect to the servers.