[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slurpd over SSL



Mark wrote:

cd /usr/local/ssl/bin
./openssl req -new -nodes -keyout newreq.pem -out newreq.pem
( cn=host2.mydomain.ru)
cp newreq.pem /usr/local/ssl/misc
./CA.sh -sign
mv newcert.pem host2cert.pem
mv newkey.pem host2key.pem

copy host2cert.pem host2key.pem and file /usr/local/ssl/misc/demoCA/cacert.pem to host2

Looks good.

slapd.conf in host2

security ssf=1 tls=112
TLSCipherSuite  HIGH:MEDIUM:+SSLv3
TLSCACertificateFile    /usr/local/etc/openldap/ssl/cacert.pem
TLSCertificateFile      /usr/local/etc/openldap/ssl/host2cert.pem
TLSCertificateKeyFile   /usr/local/etc/openldap/ssl/host2key.pem
TLSVerifyClient demand

Above should work. Doesn't have anything to do with your problem, but don't put all the certs in one directory; only the server user should be able to read the server certs, everyone should be able to read the CA cert.


ldap.conf

TLS_CACERT      /usr/local/etc/openldap/ssl/cacert.pem
TLS_CERT        /usr/local/etc/openldap/ssl/host2cert.pem
TLS_KEY /usr/local/etc/openldap/ssl/host2key.pem
BASE    dc=mydomain,dc=ru
URI     ldap://host2.mydomain.ru

You don't need TLS_CERT or TLS_KEY for the client. You only need certs for the client (should then be made especially for that client with a copy of the client cert to the server) if you are planning to use SASL external. Most people don't!


[...]

and when I attempt connect to slapd server on same computer with command
/usr/local/bin/ldapsearch -Z -x -D "cn=Manager,dc=mydomain,dc=ru" -W "(uid=user)"


I looking next message
ldap_start_tls: Connect error (91)
additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

You have to make sure the client (ldapsearch, ldapmodify etc.) user can read the CA cert, in addition to the server being able to.


You can run each client (like ldapsearch) at debug level -d1 or -d-1 (I think) to see better what is happening.

You can do: 'openssl s_client -connect hostname:636' to see if you get a connection and read the server's public key in plaintext. It will give an error, even if you can read it: error 18 is good, error 19 is o.k., anything else means you haven't done something right.

If CA and slapd run on same host, I can connect to him from somewhere.

I don't understand this. Explain better!

Explain me pls what I didn't do.

To use with clients on other hosts, you have to copy the CA cert to each separate client host and tell its ldap.conf where to find it.


--Tonni

--
Tony Earnshaw

If my mail server refuses your
mail resend to:

billy at billy.demon.nl
http: www.billy.demon.nl