Fedora directory users - Jun 2009 - [389-users] OS to authenticate to DS using TLS

So my next hurdle I am tackling SSL certificates.  I produced self-signed
certificates and have installed them in through the Management Console.  I
can run the Management Console using a secure connection.

Linux uses DS to authenticate (configured using System > Administration >
Authentication and enableing LDAP support).  If I try to "Use TLS to
encrypt
connection" I can''t program a URL that will let me download the CA
Certificate successfully. I hope that all made sence.

Am I missing something?  Do I need this?

Thanks for any advise!

On Tue, 2009-06-16 at 19:25 -0500, Doug Coats wrote:
> So my next hurdle I am tackling SSL certificates.  I produced
> self-signed certificates and have installed them in through the
> Management Console.  I can run the Management Console using a secure
> connection.
>  
> Linux uses DS to authenticate (configured using System >
> Administration > Authentication and enableing LDAP support).  If I try
> to "Use TLS to encrypt connection" I can''t program a URL
that will let
> me download the CA Certificate successfully. I hope that all made
> sence.
>  
> Am I missing something?  Do I need this?
<snip>
> 
Sorry, I don''t quite follow.  I know it was a difficult to follow post
but I did post how we set up SSL communications including the client
side setup.  We simply copied the CA cert to the clients (servers using
LDAP for authentication) via scp - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

Hello. I think I understand the problem.

I copied the CA cert locally to /tmp/CAcert.txt

I then ran ''system-config-authentication''  and used a URL like
the
following (where it says ''Download CA Certificate''):

file:///tmp/CAcert.txt

It''s a lazy man''s approach but it worked.

Cdlt, Dave
--------


And John A. Sullivan III wrote:
> On Tue, 2009-06-16 at 19:25 -0500, Doug Coats wrote:
>   
>> So my next hurdle I am tackling SSL certificates.  I produced
>> self-signed certificates and have installed them in through the
>> Management Console.  I can run the Management Console using a secure
>> connection.
>>  
>> Linux uses DS to authenticate (configured using System >
>> Administration > Authentication and enableing LDAP support).  If I
try
>> to "Use TLS to encrypt connection" I can''t program a
URL that will let
>> me download the CA Certificate successfully. I hope that all made
>> sence.
>>  
>> Am I missing something?  Do I need this?
>>     
> <snip>
>   
> Sorry, I don''t quite follow.  I know it was a difficult to follow
post
> but I did post how we set up SSL communications including the client
> side setup.  We simply copied the CA cert to the clients (servers using
> LDAP for authentication) via scp - John
>

Thanks Dave - that worked.

I am still some problem with the certificates though.

If it I try this in the directory where the certificates are:

openssl s_client -connect localhost:636 -CAfile filename

I get a listing of the certificates without errors.

If I try:

ldapsearch -H ldaps://localhost:636

ldap_sasl_interactive_bind_s: Can''t contact LDAP server (-1)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
If I start the console using:

centos-idm-console -a https://127.0.0.1:9830

I have to "Accept" the certificate each time.

It looks like there may be some problem with the certificate or some setting
in DS that still needs to be switched on.

What do you think?

Thanks again for all of your help!

On Wed, Jun 17, 2009 at 7:58 AM, David (Dave) Donnan <
david.donnan@thalesgroup.com> wrote:
> Hello. I think I understand the problem.
>
> I copied the CA cert locally to /tmp/CAcert.txt
>
> I then ran ''system-config-authentication''  and used a URL
like the
> following (where it says ''Download CA Certificate''):
>
> file:///tmp/CAcert.txt
>
> It''s a lazy man''s approach but it worked.
>
> Cdlt, Dave
> --------
>
>
> And John A. Sullivan III wrote:
>
> On Tue, 2009-06-16 at 19:25 -0500, Doug Coats wrote:
>
>
> So my next hurdle I am tackling SSL certificates.  I produced
> self-signed certificates and have installed them in through the
> Management Console.  I can run the Management Console using a secure
> connection.
>
> Linux uses DS to authenticate (configured using System >
> Administration > Authentication and enableing LDAP support).  If I try
> to "Use TLS to encrypt connection" I can''t program a URL
that will let
> me download the CA Certificate successfully. I hope that all made
> sence.
>
> Am I missing something?  Do I need this?
>
>
> <snip>
>
>
> Sorry, I don''t quite follow.  I know it was a difficult to follow
post
> but I did post how we set up SSL communications including the client
> side setup.  We simply copied the CA cert to the clients (servers using
> LDAP for authentication) via scp - John
>
>
>
>
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

I believe we encountered this problem, too, and found we needed to
import the CA cert into the nss database for the user running
centos-idm-console.  The details are in that long, long, post - John

On Wed, 2009-06-17 at 09:12 -0500, Doug Coats wrote:
> Thanks Dave - that worked.
>  
> I am still some problem with the certificates though.
>  
> If it I try this in the directory where the certificates are:
>  
> openssl s_client -connect localhost:636 -CAfile filename
>  
> I get a listing of the certificates without errors.
>  
> If I try: 
>  
> ldapsearch -H ldaps://localhost:636
>  
> ldap_sasl_interactive_bind_s: Can''t contact LDAP server (-1)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> If I start the console using:
>  
> centos-idm-console -a https://127.0.0.1:9830
>  
> I have to "Accept" the certificate each time.  
>  
> It looks like there may be some problem with the certificate or some
> setting in DS that still needs to be switched on.
>  
> What do you think?
>  
> Thanks again for all of your help!
> 
> 
> On Wed, Jun 17, 2009 at 7:58 AM, David (Dave) Donnan
> <david.donnan@thalesgroup.com> wrote:
>         Hello. I think I understand the problem.
>         
>         I copied the CA cert locally to /tmp/CAcert.txt
>         
>         I then ran ''system-config-authentication''  and
used a URL like
>         the following (where it says ''Download CA
Certificate''):
>         
>         file:///tmp/CAcert.txt
>         
>         It''s a lazy man''s approach but it worked.
>         
>         Cdlt, Dave
>         -------- 
>         
>         
>         
>         And John A. Sullivan III wrote: 
>         > On Tue, 2009-06-16 at 19:25 -0500, Doug Coats wrote:
>         >   
>         > > So my next hurdle I am tackling SSL certificates.  I
produced
>         > > self-signed certificates and have installed them in
through the
>         > > Management Console.  I can run the Management Console
using a secure
>         > > connection.
>         > >  
>         > > Linux uses DS to authenticate (configured using System
>
>         > > Administration > Authentication and enableing LDAP
support).  If I try
>         > > to "Use TLS to encrypt connection" I
can''t program a URL that will let
>         > > me download the CA Certificate successfully. I hope that
all made
>         > > sence.
>         > >  
>         > > Am I missing something?  Do I need this?
>         > >     
>         > <snip>
>         >   
>         > Sorry, I don''t quite follow.  I know it was a
difficult to follow post
>         > but I did post how we set up SSL communications including the
client
>         > side setup.  We simply copied the CA cert to the clients
(servers using
>         > LDAP for authentication) via scp - John
>         >   
>         
>         
>         
>         --
>         389 users mailing list
>         389-users@redhat.com
>         https://www.redhat.com/mailman/listinfo/fedora-directory-users
>         
> 
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

I was able to dig out that portion of the plan from our internal docs:

We need to import the CA cert into the database of the
centos-idm-console user, i.e., the user running the GUI.  In their home
directory is a .centos-idm-console.  Enter that directory and issue the
following command (assuming it is running on the same computer as the
admin-server - otherwise change the CA cert source appropriately):
certutil -A -d . -n "CA certificate" -t "CT,," -a
-i /etc/dirsrv/admin-serv/CA.pem

Close the centos-idm-console if it is still running. Reopen it but be
sure to change the login Administration url to
https://ldap1.mycompany.com:9830 rather than http.


On Wed, 2009-06-17 at 10:46 -0400, John A. Sullivan III
wrote:
> I believe we encountered this problem, too, and found we needed to
> import the CA cert into the nss database for the user running
> centos-idm-console.  The details are in that long, long, post - John
> 
> On Wed, 2009-06-17 at 09:12 -0500, Doug Coats wrote:
> > Thanks Dave - that worked.
> >  
> > I am still some problem with the certificates though.
> >  
> > If it I try this in the directory where the certificates are:
> >  
> > openssl s_client -connect localhost:636 -CAfile filename
> >  
> > I get a listing of the certificates without errors.
> >  
> > If I try: 
> >  
> > ldapsearch -H ldaps://localhost:636
> >  
> > ldap_sasl_interactive_bind_s: Can''t contact LDAP server (-1)
> >         additional info: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> > If I start the console using:
> >  
> > centos-idm-console -a https://127.0.0.1:9830
> >  
> > I have to "Accept" the certificate each time.  
> >  
> > It looks like there may be some problem with the certificate or some
> > setting in DS that still needs to be switched on.
> >  
> > What do you think?
> >  
> > Thanks again for all of your help!
> > 
> > 
> > On Wed, Jun 17, 2009 at 7:58 AM, David (Dave) Donnan
> > <david.donnan@thalesgroup.com> wrote:
> >         Hello. I think I understand the problem.
> >         
> >         I copied the CA cert locally to /tmp/CAcert.txt
> >         
> >         I then ran ''system-config-authentication'' 
and used a URL like
> >         the following (where it says ''Download CA
Certificate''):
> >         
> >         file:///tmp/CAcert.txt
> >         
> >         It''s a lazy man''s approach but it worked.
> >         
> >         Cdlt, Dave
> >         -------- 
> >         
> >         
> >         
> >         And John A. Sullivan III wrote: 
> >         > On Tue, 2009-06-16 at 19:25 -0500, Doug Coats wrote:
> >         >   
> >         > > So my next hurdle I am tackling SSL certificates.  I
produced
> >         > > self-signed certificates and have installed them in
through the
> >         > > Management Console.  I can run the Management
Console using a secure
> >         > > connection.
> >         > >  
> >         > > Linux uses DS to authenticate (configured using
System >
> >         > > Administration > Authentication and enableing
LDAP support).  If I try
> >         > > to "Use TLS to encrypt connection" I
can''t program a URL that will let
> >         > > me download the CA Certificate successfully. I hope
that all made
> >         > > sence.
> >         > >  
> >         > > Am I missing something?  Do I need this?
> >         > >     
> >         > <snip>
> >         >   
> >         > Sorry, I don''t quite follow.  I know it was a
difficult to follow post
> >         > but I did post how we set up SSL communications including
the client
> >         > side setup.  We simply copied the CA cert to the clients
(servers using
> >         > LDAP for authentication) via scp - John
> >         >   
> >         
> >         
> >         
> >         --
> >         389 users mailing list
> >         389-users@redhat.com
> >         https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >         
> > 
> > --
> > 389 users mailing list
> > 389-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

Thanks John!  I found that in your email.  I think my problem might have had
some connection with still using localhost in the console command instead of
the subject in the certificate.

I have read so many different instructions and discussions on this subject
it is hard to keep it all straight as to what I read where.

I guess my next endeavor is setting up Samba.  Any words of wisdom as I
stumble down that path?

Again - many thanks!  You and Dave have been a huge help!