[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Why TLS is always fail with OpenLdap 2.4.11



Hi,

"Hunter hu" <hunter.wxhu@gmail.com> writes:

> Hi,
>  
> I have to get help from here , because I was struggling with TLS
> configuration  for weeks.
>  
> during those days , I searched google include this list , still cant pass ,my
> god.
>  
> Does anyone could provide some guide on how to configure the openldap TLS
> connection with step by step, so can reduce our pain ?
>
> Here I expose the step and try to get help from the senior ldap engineer.
>
> 1. installed openldap with-tls=openssl
>  
> I add the openssl specially to avoid use gnutls, sometimes, openldap will goto
> find gnutls if c header is there
>  
> install and start slapd succesfully.
>
> 2. using  ldapsearch -v -h 10.192.183.73   -b "dc=example,dc=com" -s base
> "objectclass=*"
>  
> I can get the listed information from openldap server, that is ok
>
> 3. now go for certificate genearation with numerous guide in google , but not
> fit to pass for me
>  
> 3.1 cd /var/myca
>       /usr/local/ssl/misc/CA.sh -newCA
>  
> then will generate demoCA, and cacert.pem  is there, that is ok
>  
> 3.2  /usr/local/ssl/misc/CA.sh -newreq
>      newkey.pem  newreq.pem

on this stage you should only have a newreq.pem no key yet

>     notes : I am using 10.192.183.73 as the common name, is there any issue
> here?

Not if you only call the host by this ip number
>
> 3.3  /usr/local/ssl/misc/CA.sh -sign
>          then you got newcert.pem

you have to extract the key first

openssl rsa in newreq.pem -out newkey.pem

> now copy into /var/ldap and try to insert into slapd and restart
>  
> TLSCipherSuite MEDIUM:+TLSv1+SSL3+SSL2
> TLSCertificateFile /var/ldap/newcert.pem
> TLSCertificateKeyFile /var/ldap/newkey.pem  ( some guide said should be
> newreq.pem)
> TLSCACertificateFile /var/ldap/cacert.pem
>
> 4. ftp cacert.pem into client and copy into /var/myca
>  
> using s-client to test at first
> penssl s_client -connect 10.192.183.73:389 -showcerts -state -CAfile /var/myca
> /cacert.pem -tls1
>  
>  you will got  the error always

This would not work, you have to start slapd with -h ldaps:/// and
connect openssl to port 636

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53Â08'09,95"N
10Â08'02,42"E