| 1 |
Hi all, |
| 2 |
|
| 3 |
I'm working on migrating a network to allow for more users and easier |
| 4 |
scaling. I'm also splitting up the main server into separate tasks. As |
| 5 |
long as I'm doing all this I thought it would be prudent to add an LDAP |
| 6 |
server for authentication/email/etc... I'm running gentoo-hardened on |
| 7 |
the ldap server and I have been following the gentoo ldap guides here: |
| 8 |
|
| 9 |
http://www.gentoo.org/doc/en/ldap-howto.xml |
| 10 |
http://gentoo-wiki.com/HOWTO_LDAPv3 |
| 11 |
|
| 12 |
This got me a decent setup, and everything works good, but now I'm |
| 13 |
trying to secure it using TLS and I can't seem to get it working. I've |
| 14 |
followed both guides, searched google, and still come up with nothing. |
| 15 |
I've verified the CN is correct, I've copied the cert from the server to |
| 16 |
the test client, and I've verified that the certs are ok using openssl. |
| 17 |
|
| 18 |
running 'ldapsearch -H ldap://valid-cn -D "cn=Manager,dc=secret,dc=com" |
| 19 |
-W' lists everything that I've imported, but adding the -Z to the |
| 20 |
command exits with this: |
| 21 |
|
| 22 |
ldap_start_tls: Connect error (-11) |
| 23 |
additional info: error:14090086:SSL |
| 24 |
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed |
| 25 |
|
| 26 |
I'm using the same common name for the ldap:// protocol as was entered |
| 27 |
in the cert. Here's the relevant config sections: |
| 28 |
|
| 29 |
/etc/openldap/slapd.conf (server only) |
| 30 |
TLSCipherSuite HIGH:MEDIUM:+SSLv2 |
| 31 |
TLSCertificateFile /etc/ssl/ldap.pem |
| 32 |
TLSCertificateKeyFile /etc/openldap/ldap-key.pem |
| 33 |
TLS_REQCERT allow |
| 34 |
|
| 35 |
/etc/openldap/ldap.conf (client and server) |
| 36 |
TLS_CERT /etc/ssl/ldap.pem |
| 37 |
TLS_KEY /etc/openldap/ldap-key.pem |
| 38 |
TLS_REQUEST never |
| 39 |
|
| 40 |
Is there anything else I should check with the certs? |
| 41 |
|
| 42 |
Also, I've been looking for a decent guide to help with installation and |
| 43 |
maintenance for LDAP and I'm coming up dead. I've even checked the |
| 44 |
libraries and bookstores, and apart from a 2-8 page reference in a few |
| 45 |
general administrative books, I've found nothing. Can anyone recommend |
| 46 |
a good book/site on how to maintain/administer/install LDAP? I've spent |
| 47 |
over a week on this and it's still not operational and I'm starting to |
| 48 |
pull my hair out. |
| 49 |
|
| 50 |
Thanks in advance for any help, |
| 51 |
Chris |
| 52 |
-- |
| 53 |
gentoo-user@l.g.o mailing list |
Archives