Just basic stuff...I promise I have been through the wiki and the
Administrator''s guide (managing SSL and SASL) several times.
Using openssl generated CA certificate and used that to sign CSR''s from
console application and loaded them all into console application. Have
restarted FDS and it seems to be happy - but just to confirm...
lifted from /opt/fedora-ds/slapd-srv1/logs/errors
[09/Dec/2005:08:33:47 -0700] - Fedora-Directory/1.0.1 B2005.342.165
starting up
[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in
backend userRoot, attempting to create one...
[09/Dec/2005:08:33:47 -0700] - Key for cipher AES successfully generated
and stored
[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher 3DES in
backend userRoot, attempting to create one...
[09/Dec/2005:08:33:47 -0700] - Key for cipher 3DES successfully
generated and stored
[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in
backend NetscapeRoot, attempting to create one...
[09/Dec/2005:08:33:48 -0700] - Key for cipher AES successfully generated
and stored
[09/Dec/2005:08:33:48 -0700] - No symmetric key found for cipher 3DES in
backend NetscapeRoot, attempting to create one...
[09/Dec/2005:08:33:48 -0700] - Key for cipher 3DES successfully
generated and stored
[09/Dec/2005:08:33:48 -0700] - slapd started. Listening on All
Interfaces port 389 for LDAP requests
[09/Dec/2005:08:33:48 -0700] - Listening on All Interfaces port 636 for
LDAPS requests
MY PROBLEM
# ldapsearch -ZZ ''(uid=jim)''
ldap_start_tls: Connect error (-11)
additional info: Start TLS request accepted.Server willing to
negotiate SSL.
# tail -n4 /opt/fedora-ds/slapd-srv1/logs/access
[09/Dec/2005:11:55:26 -0700] conn=83 op=5 fd=68 closed - U1
[09/Dec/2005:12:00:58 -0700] conn=84 fd=68 slot=68 connection from
127.0.0.1 to 127.0.0.1
[09/Dec/2005:12:00:58 -0700] conn=84 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[09/Dec/2005:12:00:58 -0700] conn=84 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[09/Dec/2005:12:00:58 -0700] conn=84 op=-1 fd=68 closed - Encountered
end of file.
# tail -n 7 /etc/openldap/ldap.conf
URI ldap://srv1.clsurvey.com
HOST srv1.clsurvey.com
BASE dc=clsurvey,dc=com
TLS_CACERTDIR /etc/ssl
TLS_CACERT server.crt
pam_password md5
TLS_REQCERT allow
My thinking is that this somehow has something to do with the TLS_CACERT
in /etc/openldap/ldap.conf (the certificate for the client).
Would this be the issue?
Is there a better method for creating the client certificate from either
the CA certificate (generated by openssl) or from the FDS Server
Certificate (also generated by openssl)?
Craig
>My thinking is that this somehow has something to do with the TLS_CACERT >in /etc/openldap/ldap.conf (the certificate for the client). > >In general most folk don''t need client certs, but AFAIK the openldap ldapsearch _requires_ that you present a client cert.>Would this be the issue? > >Probably yes. Shouldn''t you be using a user-specific ldap.conf for your client-side config ?>Is there a better method for creating the client certificate from either >the CA certificate (generated by openssl) or from the FDS Server >Certificate (also generated by openssl)? > >Provided the client cert was signed by the same CA as the server cert, you should be ok. The client cert has no relationship per se with the server cert.
Craig White wrote:>Just basic stuff...I promise I have been through the wiki and the >Administrator''s guide (managing SSL and SASL) several times. > >Using openssl generated CA certificate and used that to sign CSR''s from >console application and loaded them all into console application. Have >restarted FDS and it seems to be happy - but just to confirm... > >lifted from /opt/fedora-ds/slapd-srv1/logs/errors >[09/Dec/2005:08:33:47 -0700] - Fedora-Directory/1.0.1 B2005.342.165 >starting up >[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in >backend userRoot, attempting to create one... >[09/Dec/2005:08:33:47 -0700] - Key for cipher AES successfully generated >and stored >[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher 3DES in >backend userRoot, attempting to create one... >[09/Dec/2005:08:33:47 -0700] - Key for cipher 3DES successfully >generated and stored >[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in >backend NetscapeRoot, attempting to create one... >[09/Dec/2005:08:33:48 -0700] - Key for cipher AES successfully generated >and stored >[09/Dec/2005:08:33:48 -0700] - No symmetric key found for cipher 3DES in >backend NetscapeRoot, attempting to create one... >[09/Dec/2005:08:33:48 -0700] - Key for cipher 3DES successfully >generated and stored >[09/Dec/2005:08:33:48 -0700] - slapd started. Listening on All >Interfaces port 389 for LDAP requests >[09/Dec/2005:08:33:48 -0700] - Listening on All Interfaces port 636 for >LDAPS requests > >MY PROBLEM ># ldapsearch -ZZ ''(uid=jim)'' >ldap_start_tls: Connect error (-11) > additional info: Start TLS request accepted.Server willing to >negotiate SSL. > >Looks like openldap and FDS are not responding to the startTLS operation the same way. Try ldapsearch -v ... or ldapsearch -d 1 ...># tail -n4 /opt/fedora-ds/slapd-srv1/logs/access >[09/Dec/2005:11:55:26 -0700] conn=83 op=5 fd=68 closed - U1 >[09/Dec/2005:12:00:58 -0700] conn=84 fd=68 slot=68 connection from >127.0.0.1 to 127.0.0.1 >[09/Dec/2005:12:00:58 -0700] conn=84 op=0 EXT >oid="1.3.6.1.4.1.1466.20037" name="startTLS" >[09/Dec/2005:12:00:58 -0700] conn=84 op=0 RESULT err=0 tag=120 >nentries=0 etime=0 >[09/Dec/2005:12:00:58 -0700] conn=84 op=-1 fd=68 closed - Encountered >end of file. > ># tail -n 7 /etc/openldap/ldap.conf >URI ldap://srv1.clsurvey.com >HOST srv1.clsurvey.com >BASE dc=clsurvey,dc=com >TLS_CACERTDIR /etc/ssl >TLS_CACERT server.crt >pam_password md5 >TLS_REQCERT allow > >My thinking is that this somehow has something to do with the TLS_CACERT >in /etc/openldap/ldap.conf (the certificate for the client). > >Would this be the issue? > >Is there a better method for creating the client certificate from either >the CA certificate (generated by openssl) or from the FDS Server >Certificate (also generated by openssl)? > >Craig > >-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
On Fri, 2005-12-09 at 12:31 -0700, Richard Megginson wrote:> Craig White wrote: > > >Just basic stuff...I promise I have been through the wiki and the > >Administrator''s guide (managing SSL and SASL) several times. > > > >Using openssl generated CA certificate and used that to sign CSR''s from > >console application and loaded them all into console application. Have > >restarted FDS and it seems to be happy - but just to confirm... > > > >lifted from /opt/fedora-ds/slapd-srv1/logs/errors > >[09/Dec/2005:08:33:47 -0700] - Fedora-Directory/1.0.1 B2005.342.165 > >starting up > >[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in > >backend userRoot, attempting to create one... > >[09/Dec/2005:08:33:47 -0700] - Key for cipher AES successfully generated > >and stored > >[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher 3DES in > >backend userRoot, attempting to create one... > >[09/Dec/2005:08:33:47 -0700] - Key for cipher 3DES successfully > >generated and stored > >[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in > >backend NetscapeRoot, attempting to create one... > >[09/Dec/2005:08:33:48 -0700] - Key for cipher AES successfully generated > >and stored > >[09/Dec/2005:08:33:48 -0700] - No symmetric key found for cipher 3DES in > >backend NetscapeRoot, attempting to create one... > >[09/Dec/2005:08:33:48 -0700] - Key for cipher 3DES successfully > >generated and stored > >[09/Dec/2005:08:33:48 -0700] - slapd started. Listening on All > >Interfaces port 389 for LDAP requests > >[09/Dec/2005:08:33:48 -0700] - Listening on All Interfaces port 636 for > >LDAPS requests > > > >MY PROBLEM > ># ldapsearch -ZZ ''(uid=jim)'' > >ldap_start_tls: Connect error (-11) > > additional info: Start TLS request accepted.Server willing to > >negotiate SSL. > > > > > Looks like openldap and FDS are not responding to the startTLS operation > the same way. Try > ldapsearch -v ... > or > ldapsearch -d 1 ... >---- OK - instructions don''t entirely cover the issue when you use openldap client version of ldapsearch ldapsearch -x -ZZ ''(uid=jim)'' # no problem the -x was still required for ssl (ldaps://server:636 and ldap://server:389) when not using SASL thanks and thanks David - it helped clarify things Craig
> >>My thinking is that this somehow has something to do with the TLS_CACERT >>in /etc/openldap/ldap.conf (the certificate for the client). >> >> > In general most folk don''t need client certs, but AFAIK the openldap > ldapsearch > _requires_ that you present a client cert.by default, yes. That''s what we call a "safe" default. If you specify "TLS_REQCERT never", as documented in ldap.conf(5), that does the trick.> >>Would this be the issue? >> >> > Probably yes. Shouldn''t you be using a user-specific ldap.conf for your > client-side config ? > >>Is there a better method for creating the client certificate from either >>the CA certificate (generated by openssl) or from the FDS Server >>Certificate (also generated by openssl)? >> >> > Provided the client cert was signed by the same CA as the server cert, > you should be ok. The client cert has no relationship per se with the > server cert.If the client''s CA is not the same as the server''s CA, you need the server to know about the CA''s cert, and let it know it''s trusted. I don''t know the details for FDS, though. Note that if the client is to verify the srrver''s CA, the same issue with reversed players arises. p. -- Pierangelo Masarati mailto:pierangelo.masarati@sys-net.it Ing. Pierangelo Masarati Responsabile Open Solution SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------