List Info

Thread: ssl certificate problem
ssl certificate problem
user name
 2007-04-10 08:09:31 
Hi. I'm new to this list and it's a week i'm really fighting
with 
directory server. I followed some howtos, i downloaded a lot
of 
documents but i can't get out of trouble.
I need to make login from my linux boxes on ldap directory
server. If i 
try to use my test user in clear mode i can do that. The
problem is when 
i try to configure a self-signed certificate. I'll not
describe all the 
tests i've done, i'll tell you just the last!!
I created my cacert.pem on the ldapserver and i installed
from the 
console. It goes and it's ok. Then i used openssl to
generate a private 
key and a certificate request then i signed it. That's what
i did:

    openssl genrsa -out privkey.pem 2048
    openssl req -new -key privkey.pem -out PEM.csr
    openssl ca -cert cacert.pem -in PEM.csr -out cert.pem

I copied cacert.pem, privkey.pem and cert.pem on the client
and i 
configured ldap.conf on it:

    URI ldaps://<ldapserver>:636
    BASE ou=UTENTI,o=postel,c=com
    host kingu.postel.com
    TLS_REQCERT allow
    TLS_CHECKPEER yes
    TLS_CACERTDIR /etc/ssl
    TLS_CACERT /etc/ssl/cacert.pem
    TLS_CERT /etc/ssl/cert.pem
    TLS_KEY /etc/ssl/privkey.pem

I activated ssl on my ldap server and i installed my
cacert.pem on it. i 
didn't anything else.
I tried also to generate a certificate request from
directory server and 
to sign it with my cacert.pem. Then i imported it like my
server-cert. 
It imported it but login still didn't go.

I followed the manuals i found on directory.fedora.org
(managing SSL and 
SASL), but i saw a lot of documents too.

I think logs say nothing bad. That's my access log:
/
/

    /[10/Apr/2007:14:59:54 +0200] conn=15 fd=65 slot=65 SSL
connection
    from <ldap client> to <ldap server>/
    /[10/Apr/2007:14:59:54 +0200] conn=15 SSL 256-bit AES/
    /[10/Apr/2007:14:59:54 +0200] conn=15 op=0 BIND
dn="" method=128
    version=3/
    /[10/Apr/2007:14:59:54 +0200] conn=15 op=0 RESULT err=0
tag=97
    nentries=0 etime=0 dn=""/
    /[10/Apr/2007:14:59:54 +0200] conn=15 op=1 SRCH
    base="ou=UTENTI,o=postel,c=com" scope=2
   
filter="(&(objectClass=posixAccount)(uid=utente))&q
uot; attrs="uid
    userPassword uidNumber gidNumber cn homeDirectory
loginShell gecos
    description objectClass"/
    /[10/Apr/2007:14:59:54 +0200] conn=15 op=1 RESULT err=0
tag=101
    nentries=1 etime=0/
    /[10/Apr/2007:14:59:56 +0200] conn=15 op=2 SRCH
    base="ou=UTENTI,o=postel,c=com" scope=2
   
filter="(&(objectClass=posixAccount)(uid=utente))&q
uot; attrs="uid
    userPassword uidNumber gidNumber cn homeDirectory
loginShell gecos
    description objectClass"/
    /[10/Apr/2007:14:59:56 +0200] conn=15 op=2 RESULT err=0
tag=101
    nentries=1 etime=0/
    /[10/Apr/2007:14:59:56 +0200] conn=15 op=3 SRCH
    base="ou=UTENTI,o=postel,c=com" scope=2
   
filter="(&(objectClass=shadowAccount)(uid=utente))&
quot; attrs="uid
    userPassword shadowLastChange shadowMax shadowMin
shadowWarning
    shadowInactive shadowExpire shadowFlag"/
    /[10/Apr/2007:14:59:56 +0200] conn=15 op=3 RESULT err=0
tag=101
    nentries=1 etime=0/
    /[10/Apr/2007:14:59:56 +0200] conn=15 op=4 SRCH
    base="ou=UTENTI,o=postel,c=com" scope=2
   
filter="(&(objectClass=posixAccount)(uid=utente))&q
uot; attrs="uid
    userPassword uidNumber gidNumber cn homeDirectory
loginShell gecos
    description objectClass"/
    /[10/Apr/2007:14:59:56 +0200] conn=15 op=4 RESULT err=0
tag=101
    nentries=1 etime=0/
    /[10/Apr/2007:14:59:56 +0200] conn=16 fd=66 slot=66 SSL
connection
    from <ldap client> to <ldap server>/

To me it seems it says nothing bad. I can't get out of it
and i don't 
understand what is wrong. The directory server version is
1.0.4. I 
installed it from RPM on redhat enterprise 4.

If i try to log on URI ldap://<ldapserver> (not ssl
!!) it goes and i 
can authenticate using ldap!!!

Anyone can help me, please???


Thanks everyone.
Paolo.


-- 
Paolo Ercolani
Postel
Gestione Servizi e Accessi Telematici
Erogazione Servizi e Gestione Infrastrutture Mass
Communication
Viale Guglielmo Massaia 31 – 00154 Roma
Tel 06 51426 549 Fax 06 51426 553
e-mail: paolo.ercolanipostel.com
 

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
Re: ssl certificate problem
user name
 2007-04-10 10:34:05 
Paolo Ercolani wrote:
> Hi. I'm new to this list and it's a week i'm really
fighting with 
> directory server. I followed some howtos, i downloaded
a lot of 
> documents but i can't get out of trouble.
> I need to make login from my linux boxes on ldap
directory server. If 
> i try to use my test user in clear mode i can do that.
The problem is 
> when i try to configure a self-signed certificate. I'll
not describe 
> all the tests i've done, i'll tell you just the last!!
> I created my cacert.pem on the ldapserver and i
installed from the 
> console. It goes and it's ok. Then i used openssl to
generate a 
> private key and a certificate request then i signed it.
That's what i 
> did:
>
>    openssl genrsa -out privkey.pem 2048
>    openssl req -new -key privkey.pem -out PEM.csr
>    openssl ca -cert cacert.pem -in PEM.csr -out
cert.pem
>
> I copied cacert.pem, privkey.pem and cert.pem on the
client and i 
> configured ldap.conf on it:
>
>    URI ldaps://<ldapserver>:636
>    BASE ou=UTENTI,o=postel,c=com
>    host kingu.postel.com
>    TLS_REQCERT allow
>    TLS_CHECKPEER yes
>    TLS_CACERTDIR /etc/ssl
>    TLS_CACERT /etc/ssl/cacert.pem
>    TLS_CERT /etc/ssl/cert.pem
>    TLS_KEY /etc/ssl/privkey.pem
>
> I activated ssl on my ldap server and i installed my
cacert.pem on it. 
> i didn't anything else.
> I tried also to generate a certificate request from
directory server 
> and to sign it with my cacert.pem. Then i imported it
like my 
> server-cert. It imported it but login still didn't go.
I'm unclear on this last step.  What do you mean by login
still didn't 
go?  Because the access log excerpt below would seem to
indicate that 
the os did search for and find the login name.
>
> I followed the manuals i found on directory.fedora.org
(managing SSL 
> and SASL), but i saw a lot of documents too.
>
> I think logs say nothing bad. That's my access log:
> /
> /
>
>    /[10/Apr/2007:14:59:54 +0200] conn=15 fd=65 slot=65
SSL connection
>    from <ldap client> to <ldap server>/
>    /[10/Apr/2007:14:59:54 +0200] conn=15 SSL 256-bit
AES/
>    /[10/Apr/2007:14:59:54 +0200] conn=15 op=0 BIND
dn="" method=128
>    version=3/
>    /[10/Apr/2007:14:59:54 +0200] conn=15 op=0 RESULT
err=0 tag=97
>    nentries=0 etime=0 dn=""/
>    /[10/Apr/2007:14:59:54 +0200] conn=15 op=1 SRCH
>    base="ou=UTENTI,o=postel,c=com" scope=2
>   
filter="(&(objectClass=posixAccount)(uid=utente))&q
uot; attrs="uid
>    userPassword uidNumber gidNumber cn homeDirectory
loginShell gecos
>    description objectClass"/
>    /[10/Apr/2007:14:59:54 +0200] conn=15 op=1 RESULT
err=0 tag=101
>    nentries=1 etime=0/
>    /[10/Apr/2007:14:59:56 +0200] conn=15 op=2 SRCH
>    base="ou=UTENTI,o=postel,c=com" scope=2
>   
filter="(&(objectClass=posixAccount)(uid=utente))&q
uot; attrs="uid
>    userPassword uidNumber gidNumber cn homeDirectory
loginShell gecos
>    description objectClass"/
>    /[10/Apr/2007:14:59:56 +0200] conn=15 op=2 RESULT
err=0 tag=101
>    nentries=1 etime=0/
>    /[10/Apr/2007:14:59:56 +0200] conn=15 op=3 SRCH
>    base="ou=UTENTI,o=postel,c=com" scope=2
>   
filter="(&(objectClass=shadowAccount)(uid=utente))&
quot; attrs="uid
>    userPassword shadowLastChange shadowMax shadowMin
shadowWarning
>    shadowInactive shadowExpire shadowFlag"/
>    /[10/Apr/2007:14:59:56 +0200] conn=15 op=3 RESULT
err=0 tag=101
>    nentries=1 etime=0/
>    /[10/Apr/2007:14:59:56 +0200] conn=15 op=4 SRCH
>    base="ou=UTENTI,o=postel,c=com" scope=2
>   
filter="(&(objectClass=posixAccount)(uid=utente))&q
uot; attrs="uid
>    userPassword uidNumber gidNumber cn homeDirectory
loginShell gecos
>    description objectClass"/
>    /[10/Apr/2007:14:59:56 +0200] conn=15 op=4 RESULT
err=0 tag=101
>    nentries=1 etime=0/
>    /[10/Apr/2007:14:59:56 +0200] conn=16 fd=66 slot=66
SSL connection
>    from <ldap client> to <ldap server>/
>
> To me it seems it says nothing bad. I can't get out of
it and i don't 
> understand what is wrong. The directory server version
is 1.0.4. I 
> installed it from RPM on redhat enterprise 4.
>
> If i try to log on URI ldap://<ldapserver> (not
ssl !!) it goes and i 
> can authenticate using ldap!!!
>
> Anyone can help me, please???
>
>
> Thanks everyone.
> Paolo.
>
>


--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )