[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: configuring ldap-client to use TLS (Certificate not found in database)

To: Sridhar Acharya Malkaram <smalkaram@wvstateu.edu>
Subject: Re: configuring ldap-client to use TLS (Certificate not found in database)
From: Dan White <dwhite@cafedemocracy.org>
Date: Wed, 21 Oct 2015 13:35:04 -0500
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <6C5FBFEC-C391-4787-ADF4-D7BC5197C286@wvstateu.edu>
References: <6C5FBFEC-C391-4787-ADF4-D7BC5197C286@wvstateu.edu>
User-agent: Mutt/1.5.23 (2014-03-12)

On 10/20/15 21:24 -0400, Sridhar Acharya Malkaram wrote:

I am a novice to linux administration. Recently I had to configure a
system to authenticate using LDAP with TLS. I have read guides from
several websites. But I still could configure it. There seem to be several
reasons for the failure. I tried many suggestions, but with no success. I
don’t have access to the LDAP server. So I have been just playing with
config on the client.

The LDAP server is sso.abcdef.edu

My ldap.conf content is below

BASE dc=abcdef,dc=edu
TLS_REQCERT allow
TLS_CACERT /etc/openldap/cacerts/sso.abcdef.edu.crt

uri ldap://sso.abcdef.eduTLS_CACERTDIR /etc/openldap/cacerts


You output below says your local ldap libraries are linked against moznss.
See:

http://www.openldap.org/faq/data/cache/1514.html

and the ldap.conf manpage. More comments below.

I could issue a ldapsearch -x which returns several entries. However, when
I couldn’t do using TLS.  The following command shows some errors. Could
you suggest me possible directions to resolve this. The directory
/etc/openldap/cacerts/ contains  the server certificate
sso.abcdef.edu.crt. I also made a copy of it with name sso.abcdef.edu.pem.
I am not sure whether this pem file should be that of the server or the
client.

Another question, should the client also have a ca (or self-signed )
certificate and it whether it should be uploaded onto the LDAP server?


The depends on the security needs of your network.

If the server is configured to require client certificates, then you'll
need to specify a TLS_CERT and TLS_KEY (again, see ldap.conf(5)).

/etc/openldap/cacerts root@wserver[0.5]5019 > ldapsearch -ZZZ -h sso.abcdef.edu -d -1

ldap_msgfree
TLS: loaded CA certificate file /etc/openldap/cacerts/sso.abcdef.edu.crt.
TLS: error: the certificate '/etc/openldap/cacerts/sso.abcdef.edu.pem' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication..
TLS: certificate '/etc/openldap/cacerts/sso.abcdef.edu.pem' successfully loaded from PEM file.
TLS: could not add the private key '/etc/openldap/cacerts/sso.abcdef.edu.pem' - error -8018:Unknown PKCS #11 error..
TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error.
TLS: can't create ssl handle.
ldap_err2string
ldap_start_tls: Connect error (-11)


Does /etc/openldap/cacerts/sso.abcdef.edu.pem exist? If so, moznss will
attempt to open it as a database. It should not exist if you wish to use
the collective cert files within /etc/openldap/cacerts/ as your cacerts.
You should not specify TLS_CACERT in that case either.

--
Dan White

References:
- configuring ldap-client to use TLS (Certificate not found in database)
  - From: Sridhar Acharya Malkaram <smalkaram@wvstateu.edu>

Prev by Date: Re: Delta-syncrepl not syncing entire directory: Entry CSN greater than snapshot
Next by Date: Re: ldapcompare for booleans ?
Index(es):
- Chronological
- Thread