[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS/SSL problems, server side certificate not recognized

To: "Omar Al-Tabari" <otabari@batelco.jo>, "openldap-software" <openldap-software@OpenLDAP.org>
Subject: RE: TLS/SSL problems, server side certificate not recognized
From: "John Lane" <listmail@oceanfree.net>
Date: Mon, 7 Mar 2005 18:50:52 -0000
Importance: Normal
In-reply-to: <422C4112.7000706@batelco.jo>

Hello. This is a complex area, however I'll try and list the gotchas that
I've learnt over the last few weeks.

1. MAKE SURE the "cn" in your cert is the same as the host name of the
server (as given by "hostname -f", and MAKE SURE this value is in the hosts
file as the primary host name (not an alias) on your client machines as well
as your server. ALSO MAKE SURE you reference the server in slapd.conf,
ldap.conf and any other files by it's name rather than an IP address.

2. The server's cert, key and the cert of the ca that signed it need to be
located on the server and readable by slapd, etc. These should be referenced
in host files using their full path.

3. The client's cert, key and the cert of the ca that signed it need to be
located on the server and readable by slapd, etc. These should be referenced
in host files using their full path.

4. Use ldapsearch -d -1 to test - it's very verbose and you'll be able to
see what is going on.

5. Post again if you need more help. Persevere, it does work out in the
end!!!!!

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Omar Al-Tabari
Sent: 07 March 2005 11:55
To: openldap-software
Subject: TLS/SSL problems, server side certificate not recognized


I'm totally ignorant regarding ldap but I must configure it to use it in
my company, I need to enable SSL/TLS for its use, either TLS over port
389 or SSL over port 636, but I can’t seem to make it work.

I’ve created a self signed certificate, as instructed in many FAQ and
HOW-TO articles, but it doesn’t seem to work, I also created a CA and
separated the certificate from the private key and added it to the
server but still no success.

i need help, it looks like I’m a total idiot that’s why it doesn’t work,
you cant help me with my stupidity but I hope you could help me to get
SSL or TLS working.

Also what needs to be done on the client side, do I copy the created
certificates or do I copy nothing?

I’m using:

Fedora Core 2

Openldap 2.2.13

Follow-Ups:
- RE: TLS/SSL problems, server side certificate not recognized
  - From: "John Lane" <listmail@oceanfree.net>

References:
- TLS/SSL problems, server side certificate not recognized
  - From: Omar Al-Tabari <otabari@batelco.jo>

Prev by Date: startup problem
Next by Date: RE: Constraint violation in Replication setup.
Index(es):
- Chronological
- Thread