1 |
Chris Frederick schrieb: |
2 |
> Hi all, |
3 |
> |
4 |
> I'm working on migrating a network to allow for more users and easier |
5 |
> scaling. I'm also splitting up the main server into separate tasks. As |
6 |
> long as I'm doing all this I thought it would be prudent to add an LDAP |
7 |
> server for authentication/email/etc... I'm running gentoo-hardened on |
8 |
> the ldap server and I have been following the gentoo ldap guides here: |
9 |
> |
10 |
> http://www.gentoo.org/doc/en/ldap-howto.xml |
11 |
> http://gentoo-wiki.com/HOWTO_LDAPv3 |
12 |
> |
13 |
> This got me a decent setup, and everything works good, but now I'm |
14 |
> trying to secure it using TLS and I can't seem to get it working. I've |
15 |
> followed both guides, searched google, and still come up with nothing. |
16 |
> I've verified the CN is correct, I've copied the cert from the server to |
17 |
> the test client, and I've verified that the certs are ok using openssl. |
18 |
> |
19 |
> running 'ldapsearch -H ldap://valid-cn -D "cn=Manager,dc=secret,dc=com" |
20 |
> -W' lists everything that I've imported, but adding the -Z to the |
21 |
> command exits with this: |
22 |
> |
23 |
> ldap_start_tls: Connect error (-11) |
24 |
> additional info: error:14090086:SSL |
25 |
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed |
26 |
Turn up debugging, there should be a more specific error somewhere like |
27 |
"unknown CA" or "self signed cert" (slapd doesn't like self signed certs"). |
28 |
|
29 |
> |
30 |
> I'm using the same common name for the ldap:// protocol as was entered |
31 |
> in the cert. Here's the relevant config sections: |
32 |
> |
33 |
> /etc/openldap/slapd.conf (server only) |
34 |
> TLSCipherSuite HIGH:MEDIUM:+SSLv2 |
35 |
> TLSCertificateFile /etc/ssl/ldap.pem |
36 |
> TLSCertificateKeyFile /etc/openldap/ldap-key.pem |
37 |
> TLS_REQCERT allow |
38 |
I don't see TLSCACertificateFile pointing to your CA. |
39 |
|
40 |
|
41 |
> Also, I've been looking for a decent guide to help with installation and |
42 |
> maintenance for LDAP and I'm coming up dead. I've even checked the |
43 |
> libraries and bookstores, and apart from a 2-8 page reference in a few |
44 |
> general administrative books, I've found nothing. Can anyone recommend |
45 |
> a good book/site on how to maintain/administer/install LDAP? |
46 |
Not really. Remember, LDAP is just a protocol and management of |
47 |
implementations differ. Personally I haven't found much 10.000 feet kind |
48 |
of docs which makes thinks hard as you'll see the big picture way too |
49 |
late (after lots of painful errors due to misconceptions). Once you know |
50 |
Ldap+Sasl+ssl+kerberos and how all this might (not) work together it's |
51 |
just reading Changelogs and manpages to keep you up to date with your |
52 |
implementation. |
53 |
|
54 |
I've spent |
55 |
> over a week on this and it's still not operational and I'm starting to |
56 |
> pull my hair out. |
57 |
You're welcome ;) |
58 |
|
59 |
cheers |
60 |
Paul |
61 |
-- |
62 |
gentoo-server@l.g.o mailing list |