[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fedora and openldap

Hello both,

Finally I compiled and linked all binaries so that they can be found in the path before the installed ones. In the ldap.conf file for the client I set TLS_CACERT to the certificate that I create for the client in the server and it worked. So, now ldapsearch does work, but looks like the local auth system is unable to query for users... when I set the authconfig, the server says:
>>> slap_listener(ldaps://curri0.imppc.local:636)
connection_get(12): got connid=1097 (this number keeps growing)
connection_read(12): checking for input on id=1097
TLS trace: SSL_accept:before/accept initialization
TLS: can't accept: (unknown).
connection_read(12): TLS accept failure error=-1 id=1097, closing
connection_close: conn=1097 sd=12

many times.
Without TLS it did work before, also it has something to do with the new installation of the openldap...
Thanks for all your help,

On 4/12/11 11:01 PM, Rich Megginson wrote:
On 04/12/2011 03:01 PM, Judith Flo Gaya wrote:
On 4/12/11 9:49 PM, Rich Megginson wrote:
If you are using /usr/bin/ldapsearch on Fedora 14 and later, it is
linked with Mozilla NSS instead of openssl.  But openldap with moznss
works the same as it does with openssl.
so certificates generated by openssl should work with this settings?
Do you have your CA cert on the client machine?
I copied the ca-cert.pem from the server machine to the client,
along with the certificate that I generate for the client itself.
Not sure what you mean by this.
I created a certificate for the client, signed by the server, I
thought that the procedure of the certificate file wasn't only about
creating a ca-cert.pem file and propagate it trought all clients, but
create a certificate for each client signed by the same ca-cert.
I don't know if I made myself clear, I followed (between others) this
look at pint 4.3, it creates a certificate file for each client, isn't
it? maybe i didn't understand it quite well
Yes.  Looks like it creates client (i.e user) certificates.

I'm not sure what the problem is.  If you think the problem is with
moznss, find an ldapsearch client built with openssl (Fedora 13 or
earlier if you have access).

I thought that it was this last certificate the one that I should
place in the TLS_CACERT (ldap.conf) not the general one.
Not sure what you mean by this.  TLS_CACERT must be the certificate of
the CA that issued the server cert.
If so, did you specify
it in /etc/openldap/ldap.conf or ~/.ldaprc?  If not, you can also
specify it on the command line like this:

LDAPTLS_CACERT=/path/to/ca_cert.pem ldapsearch -x -H
I made the test and still it does not work ;(
# LDAPTLS_CACERT=/etc/openldap/cacerts/ca-cert.pem ldapsearch -x -H
ldaps://curri0.imppc.local:636/ -d 1
ldap_new_connection 1 1 0
ldap_connect_to_host: TCP curri0.imppc.local:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS certificate verification: subject: -unknown-, issuer: -unknown-,
cipher: -unknown-, security level: off, secret key bits: 0, total key
bits: 0, cache hits: 0, cache misses: 0, cache not reusable: 0
TLS certificate verification: bad
TLS certificate verification: Error, -8182: Unknown code ___f 10
TLS: error: connect - force handshake failure -1 - error -8182:Unknown
code ___f 10
TLS: can't connect: .
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

It seems that it doesn't like the certificate.

-8182 is SEC_ERROR_BAD_SIGNATURE.  During the TLS/SSL handshake, the
client tries to see if the server's cert is correctly signed by the CA
cert (the local ca-cert.pem).
the server says:

connection_get(12): got connid=1023
connection_read(12): checking for input on id=1023
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=1023
connection_read(12): checking for input on id=1023
TLS trace: SSL3 alert read:fatal:bad certificate
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate.
connection_read(12): TLS accept failure error=-1 id=1023, closing
connection_close: conn=1023 sd=12

I assure you that both ca-cert.pem files from server and client are
the sames, as I create it and send it throught scp..