1 |
Hi all, |
2 |
|
3 |
I'm working on migrating a network to allow for more users and easier |
4 |
scaling. I'm also splitting up the main server into separate tasks. As |
5 |
long as I'm doing all this I thought it would be prudent to add an LDAP |
6 |
server for authentication/email/etc... I'm running gentoo-hardened on |
7 |
the ldap server and I have been following the gentoo ldap guides here: |
8 |
|
9 |
http://www.gentoo.org/doc/en/ldap-howto.xml |
10 |
http://gentoo-wiki.com/HOWTO_LDAPv3 |
11 |
|
12 |
This got me a decent setup, and everything works good, but now I'm |
13 |
trying to secure it using TLS and I can't seem to get it working. I've |
14 |
followed both guides, searched google, and still come up with nothing. |
15 |
I've verified the CN is correct, I've copied the cert from the server to |
16 |
the test client, and I've verified that the certs are ok using openssl. |
17 |
|
18 |
running 'ldapsearch -H ldap://valid-cn -D "cn=Manager,dc=secret,dc=com" |
19 |
-W' lists everything that I've imported, but adding the -Z to the |
20 |
command exits with this: |
21 |
|
22 |
ldap_start_tls: Connect error (-11) |
23 |
additional info: error:14090086:SSL |
24 |
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed |
25 |
|
26 |
I'm using the same common name for the ldap:// protocol as was entered |
27 |
in the cert. Here's the relevant config sections: |
28 |
|
29 |
/etc/openldap/slapd.conf (server only) |
30 |
TLSCipherSuite HIGH:MEDIUM:+SSLv2 |
31 |
TLSCertificateFile /etc/ssl/ldap.pem |
32 |
TLSCertificateKeyFile /etc/openldap/ldap-key.pem |
33 |
TLS_REQCERT allow |
34 |
|
35 |
/etc/openldap/ldap.conf (client and server) |
36 |
TLS_CERT /etc/ssl/ldap.pem |
37 |
TLS_KEY /etc/openldap/ldap-key.pem |
38 |
TLS_REQUEST never |
39 |
|
40 |
Is there anything else I should check with the certs? |
41 |
|
42 |
Also, I've been looking for a decent guide to help with installation and |
43 |
maintenance for LDAP and I'm coming up dead. I've even checked the |
44 |
libraries and bookstores, and apart from a 2-8 page reference in a few |
45 |
general administrative books, I've found nothing. Can anyone recommend |
46 |
a good book/site on how to maintain/administer/install LDAP? I've spent |
47 |
over a week on this and it's still not operational and I'm starting to |
48 |
pull my hair out. |
49 |
|
50 |
Thanks in advance for any help, |
51 |
Chris |
52 |
-- |
53 |
gentoo-user@l.g.o mailing list |