[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using NSS

Yes: Specify your cacert file in openldap's ldap.conf file (NOT PADL's in /etc/): typically /etc/openldap/ldap.conf or perhaps /usr/local/openldap/etc/openldap/ldap.conf.

If the cert is signed by a real CA then your system's cacert bundle needs updating.

If not, then I recommend you setup your own internal CA - it doesn't need to always be running nor even have network connectivity.

And use openssl vs mozilla's ssl - my understanding is that it doesn't quite work right; especially when building openldap.

- chris


----- Original Message -----
From: openldap-technical-bounces@OpenLDAP.org <openldap-technical-bounces@OpenLDAP.org>
To: richm@stanfordalumni.org <richm@stanfordalumni.org>
Cc: openldap-technical@openldap.org <openldap-technical@openldap.org>
Sent: Sun Feb 05 03:56:18 2012
Subject: Re: Using NSS

[My, it's been a while.  I got pulled away from this and it's been a
busy few months.  Now I'm beating my head against it some more.]

I backed up and started over with this.  Here is the state of things:

        # certutil -d /etc/pki/nssdb -L

        Certificate Nickname                                         Trust Attributes
                                                                     SSL,S/MIME,JAR/XPI

        LDAP-Server-Cert                                             u,u,u
        CA certificate                                               CTu,u,u

        # certutil -d /etc/pki/nssdb -L -n 'CA certificate'
        Certificate:
            Data:
                Version: 3 (0x2)
                Serial Number: 1000 (0x3e8)
                Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
                Issuer: "CN=Endoframe CA cert,DC=endoframe,DC=net"
                Validity:
                    Not Before: Tue Jan 17 07:48:20 2012
                    Not After : Mon Jan 17 07:48:20 2022
                Subject: "CN=Endoframe CA cert,DC=endoframe,DC=net"
                Subject Public Key Info:
                    Public Key Algorithm: PKCS #1 RSA Encryption
                    RSA Public Key:

        [snip]

                Signed Extensions:
                    Name: Certificate Basic Constraints
                    Critical: True
                    Data: Is a CA with no maximum path length.

            Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
            Signature:

        [snip]

            Fingerprint (MD5):

        [snip]

            Fingerprint (SHA1):

        [snip]

            Certificate Trust Flags:
                SSL Flags:
                    Valid CA
                    Trusted CA
                    User
                    Trusted Client CA
                Email Flags:
                    User
                Object Signing Flags:
                    User


        # certutil -d /etc/pki/nssdb -L -n 'LDAP-Server-Cert'
        Certificate:
            Data:
                Version: 3 (0x2)
                Serial Number: 1001 (0x3e9)
                Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
                Issuer: "CN=Endoframe CA cert,DC=endoframe,DC=net"
                Validity:
                    Not Before: Thu Jan 19 06:13:01 2012
                    Not After : Wed Jan 19 06:13:01 2022
                Subject: "CN=ldap.endoframe.net"
                Subject Public Key Info:
                    Public Key Algorithm: PKCS #1 RSA Encryption
                    RSA Public Key:

        [snip]

            Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
            Signature:

        [snip]

            Fingerprint (MD5):

        [snip]

            Fingerprint (SHA1):

        [snip]

            Certificate Trust Flags:
                SSL Flags:
                    User
                Email Flags:
                    User
                Object Signing Flags:
                    User

Given the above, I generate the cert for the client:

        # certutil -d /etc/pki/nssdb -L -n LDAP-Server-Cert -a > /etc/openldap/cacerts/ldap-server-cert.pem

In cn=config.ldif, I have:

        olcTLSCACertificatePath: /etc/pki/nssdb
        olcTLSCertificateFile: LDAP-Server-Cert

In ldap.conf, I have:

        TLS_CACERT /etc/openldap/cacerts/ldap-server-cert.pem

Finally, when I run ldapsearch, I get this error:

        # ldapsearch -H ldaps://ldap.endoframe.net -b dc=endoframe,dc=net -x -d1
        ldap_url_parse_ext(ldaps://ldap.endoframe.net)
        ldap_create
        ldap_url_parse_ext(ldaps://ldap.endoframe.net:636/??base)
        ldap_sasl_bind
        ldap_send_initial_request
        ldap_new_connection 1 1 0
        ldap_int_open_connection
        ldap_connect_to_host: TCP ldap.endoframe.net:636
        ldap_new_socket: 3
        ldap_prepare_socket: 3
        ldap_connect_to_host: Trying 10.0.0.21:636
        ldap_pvt_connect: fd: 3 tm: -1 async: 0
        TLS: loaded CA certificate file /etc/openldap/cacerts/ldap-server-cert.pem.
        TLS: certificate [CN=Endoframe CA cert,DC=endoframe,DC=net] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
        TLS: error: connect - force handshake failure: errno 21 - moznss error -8172
        TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
        ldap_err2string
        ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Is there something I need to do to mark the issuer as trusted on the
client?  (The client and server are actually the same machine in this
case, FWIW.)

Braden




This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.