List Info

Thread: Re: ssl certificate problem
Re: ssl certificate problem
user name
 2007-04-17 05:13:13 
Paolo Ercolani wrote:

    Hi. I'm new to this list and it's a week i'm really
fighting with
    directory server. I followed some howtos, i downloaded a
lot of
    documents but i can't get out of trouble. I need to make
login from
    my linux boxes on ldap directory server. If i try to use
my test
    user in clear mode i can do that. The problem is when i
try to
    configure a self-signed certificate. I'll not describe
all the tests
    i've done, i'll tell you just the last!! I created my
cacert.pem on
    the ldapserver and i installed from the console. It goes
and it's
    ok. Then i used openssl to generate a private key and a
certificate
    request then i signed it. That's what i did:

       openssl genrsa -out privkey.pem 2048
       openssl req -new -key privkey.pem -out PEM.csr
       openssl ca -cert cacert.pem -in PEM.csr -out
cert.pem

      

    I copied cacert.pem, privkey.pem and cert.pem on the
client and i
    configured ldap.conf on it:

       URI ldaps://<ldapserver>:636
       BASE ou=UTENTI,o=postel,c=com
       host kingu.postel.com
       TLS_REQCERT allow
       TLS_CHECKPEER yes
       TLS_CACERTDIR /etc/ssl
       TLS_CACERT /etc/ssl/cacert.pem
       TLS_CERT /etc/ssl/cert.pem
       TLS_KEY /etc/ssl/privkey.pem

      

    I activated ssl on my ldap server and i installed my
cacert.pem on
    it. i didn't anything else. I tried also to generate a
certificate
    request from directory server and to sign it with my
cacert.pem.
    Then i imported it like my server-cert. It imported it
but login
    still didn't go. 

 >I'm unclear on this last step. What do you mean by
login still didn't 
go? Because the access log excerpt below >would seem to
indicate that 
the os did search for and find the login name.

Yes. Reading logs it seems login goes ok. But my client
can't really 
login and i don't know what i can check. Client asks me
again for 
password, but i'm sure it's the right one. Have you any
ideas for 
checking something???

Thanks in advance.
Paolo.

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
Re: ssl certificate problem
user name
 2007-04-17 09:31:53 
Paolo Ercolani wrote:
> Paolo Ercolani wrote:
>
>    Hi. I'm new to this list and it's a week i'm really
fighting with
>    directory server. I followed some howtos, i
downloaded a lot of
>    documents but i can't get out of trouble. I need to
make login from
>    my linux boxes on ldap directory server. If i try to
use my test
>    user in clear mode i can do that. The problem is
when i try to
>    configure a self-signed certificate. I'll not
describe all the tests
>    i've done, i'll tell you just the last!! I created
my cacert.pem on
>    the ldapserver and i installed from the console. It
goes and it's
>    ok. Then i used openssl to generate a private key
and a certificate
>    request then i signed it. That's what i did:
>
>       openssl genrsa -out privkey.pem 2048
>       openssl req -new -key privkey.pem -out PEM.csr
>       openssl ca -cert cacert.pem -in PEM.csr -out
cert.pem
>
>     
>    I copied cacert.pem, privkey.pem and cert.pem on the
client and i
>    configured ldap.conf on it:
Is this /etc/openldap/ldap.conf?  In order to get pam/nss
working (I 
assume by "login" you mean login to the operating
system) you need to 
configure pam/nss ldap to do TLS, which is the file
/etc/ldap.conf, 
which takes the below parameters in slightly different
format.

I don't know if you need TLS_CERT and TLS_KEY - are you
attempting to do 
client cert auth - EXTERNAL bind?
>
>       URI ldaps://<ldapserver>:636
>       BASE ou=UTENTI,o=postel,c=com
>       host kingu.postel.com
>       TLS_REQCERT allow
>       TLS_CHECKPEER yes
>       TLS_CACERTDIR /etc/ssl
>       TLS_CACERT /etc/ssl/cacert.pem
>       TLS_CERT /etc/ssl/cert.pem
>       TLS_KEY /etc/ssl/privkey.pem
>
>     
>    I activated ssl on my ldap server and i installed my
cacert.pem on
>    it. i didn't anything else. I tried also to generate
a certificate
>    request from directory server and to sign it with my
cacert.pem.
>    Then i imported it like my server-cert. It imported
it but login
>    still didn't go.
> >I'm unclear on this last step. What do you mean by
login still didn't 
> go? Because the access log excerpt below >would seem
to indicate that 
> the os did search for and find the login name.
>
> Yes. Reading logs it seems login goes ok. But my client
can't really 
> login and i don't know what i can check. Client asks me
again for 
> password, but i'm sure it's the right one. Have you any
ideas for 
> checking something???
>
> Thanks in advance.
> Paolo.
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )