| 1 |
Chris Frederick schrieb: |
| 2 |
> Hi all, |
| 3 |
> |
| 4 |
> I'm working on migrating a network to allow for more users and easier |
| 5 |
> scaling. I'm also splitting up the main server into separate tasks. As |
| 6 |
> long as I'm doing all this I thought it would be prudent to add an LDAP |
| 7 |
> server for authentication/email/etc... I'm running gentoo-hardened on |
| 8 |
> the ldap server and I have been following the gentoo ldap guides here: |
| 9 |
> |
| 10 |
> http://www.gentoo.org/doc/en/ldap-howto.xml |
| 11 |
> http://gentoo-wiki.com/HOWTO_LDAPv3 |
| 12 |
> |
| 13 |
> This got me a decent setup, and everything works good, but now I'm |
| 14 |
> trying to secure it using TLS and I can't seem to get it working. I've |
| 15 |
> followed both guides, searched google, and still come up with nothing. |
| 16 |
> I've verified the CN is correct, I've copied the cert from the server to |
| 17 |
> the test client, and I've verified that the certs are ok using openssl. |
| 18 |
> |
| 19 |
> running 'ldapsearch -H ldap://valid-cn -D "cn=Manager,dc=secret,dc=com" |
| 20 |
> -W' lists everything that I've imported, but adding the -Z to the |
| 21 |
> command exits with this: |
| 22 |
> |
| 23 |
> ldap_start_tls: Connect error (-11) |
| 24 |
> additional info: error:14090086:SSL |
| 25 |
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed |
| 26 |
Turn up debugging, there should be a more specific error somewhere like |
| 27 |
"unknown CA" or "self signed cert" (slapd doesn't like self signed certs"). |
| 28 |
|
| 29 |
> |
| 30 |
> I'm using the same common name for the ldap:// protocol as was entered |
| 31 |
> in the cert. Here's the relevant config sections: |
| 32 |
> |
| 33 |
> /etc/openldap/slapd.conf (server only) |
| 34 |
> TLSCipherSuite HIGH:MEDIUM:+SSLv2 |
| 35 |
> TLSCertificateFile /etc/ssl/ldap.pem |
| 36 |
> TLSCertificateKeyFile /etc/openldap/ldap-key.pem |
| 37 |
> TLS_REQCERT allow |
| 38 |
I don't see TLSCACertificateFile pointing to your CA. |
| 39 |
|
| 40 |
|
| 41 |
> Also, I've been looking for a decent guide to help with installation and |
| 42 |
> maintenance for LDAP and I'm coming up dead. I've even checked the |
| 43 |
> libraries and bookstores, and apart from a 2-8 page reference in a few |
| 44 |
> general administrative books, I've found nothing. Can anyone recommend |
| 45 |
> a good book/site on how to maintain/administer/install LDAP? |
| 46 |
Not really. Remember, LDAP is just a protocol and management of |
| 47 |
implementations differ. Personally I haven't found much 10.000 feet kind |
| 48 |
of docs which makes thinks hard as you'll see the big picture way too |
| 49 |
late (after lots of painful errors due to misconceptions). Once you know |
| 50 |
Ldap+Sasl+ssl+kerberos and how all this might (not) work together it's |
| 51 |
just reading Changelogs and manpages to keep you up to date with your |
| 52 |
implementation. |
| 53 |
|
| 54 |
I've spent |
| 55 |
> over a week on this and it's still not operational and I'm starting to |
| 56 |
> pull my hair out. |
| 57 |
You're welcome ;) |
| 58 |
|
| 59 |
cheers |
| 60 |
Paul |
| 61 |
-- |
| 62 |
gentoo-server@l.g.o mailing list |
Archives