[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Slurpd over SSL
Mark wrote:
cd /usr/local/ssl/bin
./openssl req -new -nodes -keyout newreq.pem -out newreq.pem
( cn=host2.mydomain.ru)
cp newreq.pem /usr/local/ssl/misc
./CA.sh -sign
mv newcert.pem host2cert.pem
mv newkey.pem host2key.pem
copy host2cert.pem host2key.pem and file
/usr/local/ssl/misc/demoCA/cacert.pem to host2
Looks good.
slapd.conf in host2
security ssf=1 tls=112
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/ssl/host2cert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/host2key.pem
TLSVerifyClient demand
Above should work. Doesn't have anything to do with your problem, but
don't put all the certs in one directory; only the server user should be
able to read the server certs, everyone should be able to read the CA cert.
ldap.conf
TLS_CACERT /usr/local/etc/openldap/ssl/cacert.pem
TLS_CERT /usr/local/etc/openldap/ssl/host2cert.pem
TLS_KEY /usr/local/etc/openldap/ssl/host2key.pem
BASE dc=mydomain,dc=ru
URI ldap://host2.mydomain.ru
You don't need TLS_CERT or TLS_KEY for the client. You only need certs
for the client (should then be made especially for that client with a
copy of the client cert to the server) if you are planning to use SASL
external. Most people don't!
[...]
and when I attempt connect to slapd server on same computer with command
/usr/local/bin/ldapsearch -Z -x -D "cn=Manager,dc=mydomain,dc=ru" -W
"(uid=user)"
I looking next message
ldap_start_tls: Connect error (91)
additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure
You have to make sure the client (ldapsearch, ldapmodify etc.) user can
read the CA cert, in addition to the server being able to.
You can run each client (like ldapsearch) at debug level -d1 or -d-1 (I
think) to see better what is happening.
You can do: 'openssl s_client -connect hostname:636' to see if you get a
connection and read the server's public key in plaintext. It will give
an error, even if you can read it: error 18 is good, error 19 is o.k.,
anything else means you haven't done something right.
If CA and slapd run on same host, I can connect to him from somewhere.
I don't understand this. Explain better!
Explain me pls what I didn't do.
To use with clients on other hosts, you have to copy the CA cert to each
separate client host and tell its ldap.conf where to find it.
--Tonni
--
Tony Earnshaw
If my mail server refuses your
mail resend to:
billy at billy.demon.nl
http: www.billy.demon.nl