[Date Prev][Date Next]
Re: fedora and openldap
On 04/13/2011 09:07 PM, Aaron Richton wrote:
I don't know if I understood you or I didn't make myself clear on that
point. I created a CA in the server and the copied the file to the
client, is that wrong?
On Wed, 13 Apr 2011, Judith Flo Gaya wrote:
I see, I also have those files that you mention... I created my own CA
as lots of tutorials explain.. Then I transmitted it to the clients and
used it in the ldap.conf file. Do you suggest me to send those to the
server and use them instead of the ones I generated with openssl?
Well, you'll need the CA on the client to match the CA that signed the
server's certificate. In other words...if you generated your own CA for
both the client and the server, trust issues would be completely
I was talking about the operating system, for some reason I think that
having red hat (with openldap compiled using openssl) and clients with
fedora (openldap compiled against moznss) created my problems.
Now that you said that this is your case (I think) then it may be
something related to... I don't know what.
What's your server?
OpenLDAP software is on both sides of the equation; it's just that some
clients are NSS, some clients are OpenSSL, some clients are GnuTLS, while
ALL servers are OpenSSL.
Yes, I totally agree, that's why I setup my own openldap installation
and only care about ldapsearch working, then when ldapsearch finally
worked, then I start looking at the user auth part, changing passw,
etc.. as this part wasn't working and it appear to be a moznss problem,
I got stuck... until you arrived, I will try what you suggest about
using the pki certs instead of the openssl ones..
Well my final problem were not ldapsearch but the user autenticacion.
The ldapsaerch showed the whole ldap definitions but if I try to ssh
with an ldap user to the machine, I get some TLS negotiation problem ;(
That's when I was told that the problem may be caused by the
implementation of the ldap client (with moznss support).
Well, when troubleshooting, it's often easiest to look with a narrow
scope. Using OpenLDAP software, such as ldapsearch(1) and ldapwhoami(1),
will probably offer a better debugging platform than an ssh
implementation? One step at a time...
Thanks a lot for the suggestion, hope this finally fix the issue.