Hello, I have FDS 1.0.4 running using an SSL certificate generated by an Microsoft windows 2003 CA server. I choose this method as opposed to the setupssl.sh script from the wiki because I have read in the list archives that it is the best way to avoid trust issues when setting up PassSync over SSL between FDS and AD. I''m having a hard time finding references for configuring this properly and I know very little about SSL certificates so I''m making some guesses and likely missing a crucial step or two. The problem is that when trying to bind to the FDS using SSL I get certificate verification errors.> # ldapsearch -x -H ldaps://localhost/ > ldap_bind: Can''t contact LDAP server (-1) > additional info: error:14090086:SSLroutines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Here''s how I set up the certificates... 1. Generated a CSR using the FDS console wizard and submitted it to the MS CA. 2. Imported the CA certificate (called "it") and the signed "server-cert" resulting from step 1 from the MS CA using the FDS admin console. 3. Enabled SSL (port 636) in the directory server using server-cert from step 1. I used certutil to display the list of certificates in the FDS cert db.> [alias]# ../shared/bin/certutil -L -d . -P slapd-<instance>- > server-cert u,u,u > it CT,,Then verified that "server-cert" was considered valid.> [alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -Pslapd-<instance>-> Enter Password or Pin for "NSS Certificate DB": > certutil-bin: certificate is validI also verified that that I can connect using openssl client.> # openssl s_client -connect localhost:636 -showcerts -CAfile/path/to/it_ca.crt --snip--> Verify return code: 0 (ok) > ---Any hints as to what I might be doing wrong are greatly appreciated. Thanks, -Jake
Richard Megginson
2007-Jul-16 15:42 UTC
Re: [Fedora-directory-users] Using certs from MS CA server
J Davis wrote:> Hello, > > I have FDS 1.0.4 running using an SSL certificate generated by an > Microsoft windows 2003 CA server. > I choose this method as opposed to the setupssl.sh script from the > wiki because I have read in the list archives that it is the best way > to avoid trust issues when setting up PassSync over SSL between FDS > and AD. I''m having a hard time finding references for configuring this > properly and I know very little about SSL certificates so I''m making > some guesses and likely missing a crucial step or two. > The problem is that when trying to bind to the FDS using SSL I get > certificate verification errors. > > > # ldapsearch -x -H ldaps://localhost/ > > ldap_bind: Can''t contact LDAP server (-1) > > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed/usr/bin/ldapsearch is OpenLDAP ldapsearch. Did you follow these steps to tell it where to find the CA cert? http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients> > Here''s how I set up the certificates... > 1. Generated a CSR using the FDS console wizard and submitted it to > the MS CA. > 2. Imported the CA certificate (called "it") and the signed > "server-cert" resulting from step 1 from the MS CA using the FDS admin > console. > 3. Enabled SSL (port 636) in the directory server using server-cert > from step 1.Where you restarted the directory server, did it say it was listening for LDAPS requests on port 636 in the error log?> > I used certutil to display the list of certificates in the FDS cert db. > > [alias]# ../shared/bin/certutil -L -d . -P slapd-<instance>- > > server-cert u,u,u > > it CT,, > > Then verified that "server-cert" was considered valid. > > [alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -P > slapd-<instance>- > > Enter Password or Pin for "NSS Certificate DB": > > certutil-bin: certificate is valid > > I also verified that that I can connect using openssl client. > > # openssl s_client -connect localhost:636 -showcerts -CAfile > /path/to/it_ca.crt > --snip-- > > Verify return code: 0 (ok) > > --- > > Any hints as to what I might be doing wrong are greatly appreciated. > > Thanks, > -Jake > > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Joshua M. Miller
2007-Jul-16 16:19 UTC
Re: [Fedora-directory-users] Using certs from MS CA server
Hi David, If you are using a self-signed certificate (ie, the CN on the CA cert is the same domain as the CN on the LDAP cert) then OpenLDAP will reject the certificate by default. You can see from the message that it found the certificate by the message "certificate verify failed" in the error message. If you want to keep using this certificate, you can add the following line to your /etc/openldap/ldap.conf: TLS_REQCERT never This will allow ldapsearch to function while ignoring this error. Please note the consequences of this action in the man page for ldap.conf. Good luck, -- Joshua M. Miller - RHCE,VCP J Davis wrote:> Hello, > > I have FDS 1.0.4 running using an SSL certificate generated by an > Microsoft windows 2003 CA server. > I choose this method as opposed to the setupssl.sh script from the wiki > because I have read in the list archives that it is the best way to > avoid trust issues when setting up PassSync over SSL between FDS and AD. > I''m having a hard time finding references for configuring this properly > and I know very little about SSL certificates so I''m making some guesses > and likely missing a crucial step or two. > The problem is that when trying to bind to the FDS using SSL I get > certificate verification errors. > > > # ldapsearch -x -H ldaps://localhost/ > > ldap_bind: Can''t contact LDAP server (-1) > > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > Here''s how I set up the certificates... > 1. Generated a CSR using the FDS console wizard and submitted it to the > MS CA. > 2. Imported the CA certificate (called "it") and the signed > "server-cert" resulting from step 1 from the MS CA using the FDS admin > console. > 3. Enabled SSL (port 636) in the directory server using server-cert from > step 1. > > I used certutil to display the list of certificates in the FDS cert db. > > [alias]# ../shared/bin/certutil -L -d . -P slapd-<instance>- > > server-cert u,u,u > > it CT,, > > Then verified that "server-cert" was considered valid. > > [alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -P > slapd-<instance>- > > Enter Password or Pin for "NSS Certificate DB": > > certutil-bin: certificate is valid > > I also verified that that I can connect using openssl client. > > # openssl s_client -connect localhost:636 -showcerts -CAfile > /path/to/it_ca.crt > --snip-- > > Verify return code: 0 (ok) > > --- > > Any hints as to what I might be doing wrong are greatly appreciated. > > Thanks, > -Jake > > > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
Joshua M. Miller
2007-Jul-16 16:21 UTC
UPDATED: [Fedora-directory-users] Using certs from MS CA server
Hi Jake, If you are using a self-signed certificate (ie, the CN on the CA cert is the same domain as the CN on the LDAP cert) then OpenLDAP will reject the certificate by default. You can see from the message that it found the certificate by the message "certificate verify failed" in the error message. If you want to keep using this certificate, you can add the following line to your /etc/openldap/ldap.conf: TLS_REQCERT never This will allow ldapsearch to function while ignoring this error. Please note the consequences of this action in the man page for ldap.conf. Good luck, -- Joshua M. Miller - RHCE,VCP J Davis wrote:> Hello, > > I have FDS 1.0.4 running using an SSL certificate generated by an > Microsoft windows 2003 CA server. > I choose this method as opposed to the setupssl.sh script from the wiki > because I have read in the list archives that it is the best way to > avoid trust issues when setting up PassSync over SSL between FDS and AD. > I''m having a hard time finding references for configuring this properly > and I know very little about SSL certificates so I''m making some guesses > and likely missing a crucial step or two. > The problem is that when trying to bind to the FDS using SSL I get > certificate verification errors. > > > # ldapsearch -x -H ldaps://localhost/ > > ldap_bind: Can''t contact LDAP server (-1) > > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > Here''s how I set up the certificates... > 1. Generated a CSR using the FDS console wizard and submitted it to the > MS CA. > 2. Imported the CA certificate (called "it") and the signed > "server-cert" resulting from step 1 from the MS CA using the FDS admin > console. > 3. Enabled SSL (port 636) in the directory server using server-cert from > step 1. > > I used certutil to display the list of certificates in the FDS cert db. > > [alias]# ../shared/bin/certutil -L -d . -P slapd-<instance>- > > server-cert u,u,u > > it CT,, > > Then verified that "server-cert" was considered valid. > > [alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -P > slapd-<instance>- > > Enter Password or Pin for "NSS Certificate DB": > > certutil-bin: certificate is valid > > I also verified that that I can connect using openssl client. > > # openssl s_client -connect localhost:636 -showcerts -CAfile > /path/to/it_ca.crt > --snip-- > > Verify return code: 0 (ok) > > --- > > Any hints as to what I might be doing wrong are greatly appreciated. > > Thanks, > -Jake > > > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
Anderson, Cary
2007-Jul-16 16:25 UTC
[Fedora-directory-users] Help creating aci for a password manager account
I am trying to create an ldap user account that will have only the ability to change passwords on other ldap users. I have played around with the aci tool and have not had any success. Any help would be appreciated. Thanks Cary Anderson, Systems Software Specialist UNIX/Linux Services Information Technology Services Branch Technology Services & Support Division / Data Center Section System Software & Storage Infrastructure fCalPERS Phone: (916) 795-2588 Fax: (916) 795-2424
Richard Megginson
2007-Jul-16 16:28 UTC
Re: [Fedora-directory-users] Help creating aci for a password manager account
Anderson, Cary wrote:> I am trying to create an ldap user account that will have only the > ability to change passwords on other ldap users. I have played around > with the aci tool and have not had any success. Any help would be > appreciated. >It could be a conflict with one of the default ACIs that are created when you run setup.> Thanks > > Cary Anderson, Systems Software Specialist > UNIX/Linux Services > Information Technology Services Branch > Technology Services & Support Division / Data Center Section > System Software & Storage Infrastructure > fCalPERS > Phone: (916) 795-2588 > Fax: (916) 795-2424 > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
On 7/16/07, Richard Megginson <rmeggins@redhat.com> wrote:> > > # ldapsearch -x -H ldaps://localhost/ > > > ldap_bind: Can''t contact LDAP server (-1) > > > additional info: error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed/usr/bin/ldapsearch is OpenLDAP ldapsearch. Did you follow these steps> to tell it where to find the CA cert? > http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clientsI did not and, as you predicted, doing so has fixed the bind error. Thanks! -Jake
Thanks, Joshua. This is very helpful. -Jake On 7/16/07, Joshua M. Miller <joshua@itsecureadmin.com> wrote:> > Hi David, > > If you are using a self-signed certificate (ie, the CN on the CA cert is > the same domain as the CN on the LDAP cert) then OpenLDAP will reject > the certificate by default. > > You can see from the message that it found the certificate by the > message "certificate verify failed" in the error message. > > If you want to keep using this certificate, you can add the following > line to your /etc/openldap/ldap.conf: > > TLS_REQCERT never > > This will allow ldapsearch to function while ignoring this error. > > Please note the consequences of this action in the man page for ldap.conf. > > Good luck, > -- > Joshua M. Miller - RHCE,VCP > > > J Davis wrote: > > Hello, > > > > I have FDS 1.0.4 running using an SSL certificate generated by an > > Microsoft windows 2003 CA server. > > I choose this method as opposed to the setupssl.sh script from the wiki > > because I have read in the list archives that it is the best way to > > avoid trust issues when setting up PassSync over SSL between FDS and AD. > > I''m having a hard time finding references for configuring this properly > > and I know very little about SSL certificates so I''m making some guesses > > and likely missing a crucial step or two. > > The problem is that when trying to bind to the FDS using SSL I get > > certificate verification errors. > > > > > # ldapsearch -x -H ldaps://localhost/ > > > ldap_bind: Can''t contact LDAP server (-1) > > > additional info: error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > > > Here''s how I set up the certificates... > > 1. Generated a CSR using the FDS console wizard and submitted it to the > > MS CA. > > 2. Imported the CA certificate (called "it") and the signed > > "server-cert" resulting from step 1 from the MS CA using the FDS admin > > console. > > 3. Enabled SSL (port 636) in the directory server using server-cert from > > step 1. > > > > I used certutil to display the list of certificates in the FDS cert db. > > > [alias]# ../shared/bin/certutil -L -d . -P slapd-<instance>- > > > server-cert u,u,u > > > it CT,, > > > > Then verified that "server-cert" was considered valid. > > > [alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -P > > slapd-<instance>- > > > Enter Password or Pin for "NSS Certificate DB": > > > certutil-bin: certificate is valid > > > > I also verified that that I can connect using openssl client. > > > # openssl s_client -connect localhost:636 -showcerts -CAfile > > /path/to/it_ca.crt > > --snip-- > > > Verify return code: 0 (ok) > > > --- > > > > Any hints as to what I might be doing wrong are greatly appreciated. > > > > Thanks, > > -Jake > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >