[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fedora and openldap

Hello Aaron,

On 04/13/2011 09:07 PM, Aaron Richton wrote:
On Wed, 13 Apr 2011, Judith Flo Gaya wrote:

I see, I also have those files that you mention... I created my own CA
as lots of tutorials explain.. Then I transmitted it to the clients and
used it in the ldap.conf file. Do you suggest me to send those to the
server and use them instead of the ones I generated with openssl?

Well, you'll need the CA on the client to match the CA that signed the
server's certificate. In other words...if you generated your own CA for
both the client and the server, trust issues would be completely
I don't know if I understood you or I didn't make myself clear on that point. I created a CA in the server and the copied the file to the client, is that wrong?

What's your server?

OpenLDAP software is on both sides of the equation; it's just that some
clients are NSS, some clients are OpenSSL, some clients are GnuTLS, while
ALL servers are OpenSSL.
I was talking about the operating system, for some reason I think that having red hat (with openldap compiled using openssl) and clients with fedora (openldap compiled against moznss) created my problems. Now that you said that this is your case (I think) then it may be something related to... I don't know what.

Well my final problem were not ldapsearch but the user autenticacion.
The ldapsaerch showed the whole ldap definitions but if I try to ssh
with an ldap user to the machine, I get some TLS negotiation problem ;(
That's when I was told that the problem may be caused by the
implementation of the ldap client (with moznss support).

Well, when troubleshooting, it's often easiest to look with a narrow
scope. Using OpenLDAP software, such as ldapsearch(1) and ldapwhoami(1),
will probably offer a better debugging platform than an ssh
implementation? One step at a time...
Yes, I totally agree, that's why I setup my own openldap installation and only care about ldapsearch working, then when ldapsearch finally worked, then I start looking at the user auth part, changing passw, etc.. as this part wasn't working and it appear to be a moznss problem, I got stuck... until you arrived, I will try what you suggest about using the pki certs instead of the openssl ones..

Thanks a lot for the suggestion, hope this finally fix the issue.