[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: open LDAP + TLS/SSL bind Failed.



Daniel,

Please perform the below steps to create certificate...
$ /usr/lib/ssl/misc/CA.pl -newreq
$ /usr/lib/ssl/misc/CA.pl -signreq
$ openssl rsa < newkey.pem > clearkey.pem

then 
$ sudo cp cacert.pem /usr/share/ca-certificates/Domain.crt

Then, edit the /etc/ca-certificates.conf file, and add Domain.crt at the
end of the file. Finally, run update-ca-certificates:

$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs....done.


Thanks,
-Arun


Message: 9
Date: Sun, 18 Sep 2011 22:59:51 -0400
From: Daniel Qian <daniel@up247solution.com>
To: openldap-technical@openldap.org
Subject: Re: open LDAP + TLS/SSL bind Failed.
Message-ID: <4E76B027.9020800@up247solution.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"

On 11-09-16 3:57 AM, vijay s sheelavantar wrote:
> Hi,
> I am trying to configure LDAP Client/server on 2 Fedora-10 linux
machines.
>
> I have installed and configured openldap-2.4.26 server on one machine 
> and pam_ldap-186, nss_ldap-265 on the other machines.
>
> I have created the TLS certificates using following command on the
server.
>
> openssl req -newkey rsa:1024 -x509 -nodes -out \ server.pem -keyout 
> server.pem -days 3650
>
> and I have created the client.pem by copying CERTIFICATE portion of 
> the server.pem.
>
> When my client try to connect to the server I get following errors.
>
> *TLS trace: SSL3 alert read:fatal:unknown CA
> TLS trace: SSL_accept:failed in SSLv3 read client certificate A
> TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 
> alert unknown ca.
> connection_read(12): TLS accept failure error=-1 id=1012, closing
> connection_closing: readying conn=1012 sd=12 for close
> connection_close: conn=1012 sd=12
> daemon: removing 12
> conn=1012 fd=12 closed (TLS negotiation failure)
> *
> My Configurations are as follows.
>
> slapd.conf
>
> access to attrs=userPassword
> by self write
> by anonymous auth
> by * none
>
> access to *
> by * read
>
> #TLS Certificate section
> TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
> TLSCACertificateFile /etc/openldap/cacerts/server.pem
> TLSCertificateFile /etc/openldap/cacerts/server.pem
> TLSCertificateKeyFile /etc/openldap/cacerts/server.pem
> TLSVerifyClient allow
>
> and client side ldap.conf
>
> base dc=samsung,dc=com
> uri ldaps://10.254.204.181/
> TLS_CACERT /etc/openldap/cacerts/client.pem
> pam_password md5
>
> nsswitch.conf
>
> passwd: files ldap
> shadow: files ldap
> group: files ldap
>
> netgroup: files ldap
> automount: files ldap
>
> I am not getting why it is saying Unknown ca. even though the 
> certificate is created on server machine itself.
>
> Kindly help me to solve this problem.
>
<http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/
signatureline.htm@Middle?>
> Treat yourself at a restaurant, spa, resort and much more with *Rediff

> Deal ho jaye! 
>
<http://track.rediff.com/click?url=___http://dealhojaye.rediff.com?sc_ci
d=mailsignature___&cmp=signature&lnk=rediffmailsignature&newservice=deal
s>* 


you may try this

cd /etc/openldap/cacerts/
ln -s client.pem `openssl x509 -noout -hash -in client.pem`.0
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.openldap.org/lists/openldap-technical/attachments/20110918/a
ac2588d/attachment.html>

------------------------------

Please do not print this email unless it is absolutely necessary. 

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. 

www.wipro.com