[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP + RADIUS + SSL

To: Anderson Alves de Albuquerque <anderson@belem.voip.nce.ufrj.br>
Subject: Re: LDAP + RADIUS + SSL
From: Samuel Tran <stran@amnh.org>
Date: Fri, 14 Jan 2005 09:45:30 -0500
Cc: Dieter Kluenter <dieter@dkluenter.de>, openldap <openldap-software@OpenLDAP.org>
In-reply-to: <Pine.LNX.4.44.0501141105120.31709-100000@belem.voip.nce.ufrj.br>
References: <Pine.LNX.4.44.0501141105120.31709-100000@belem.voip.nce.ufrj.br>

Anderson,

I'm talking about the ldap.conf file, not your slapd.conf file.


On Fri, 2005-01-14 at 09:05, Anderson Alves de Albuquerque wrote:
> 
> 
> 
>  No, I put this lines:
> 
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCACertificateFile /tmp/ssl2/cacert.pem
> TLSCertificateFile /tmp/ssl2/servercert.pem
> TLSCertificateKeyFile /tmp/ssl2/serverkey.pem
> 
> 
>  
> 
> 
> 
> On Fri, 14 Jan 2005, Samuel Tran wrote:
> 
> > Did you specify these two parameters in your ldap.conf file on the
> > client side?:
> > 
> > TLS_REQCERT     demand
> > TLS_CACERT      /etc/openldap/certs/cacert.pem
> > 
> > Sam
> > 
> > On Fri, 2005-01-14 at 07:05, Anderson Alves de Albuquerque wrote:
> > >   I am listing my steps....
> > > 
> > > - I am doing this steps:
> > > % openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365 
> > > 
> > > % mkdir /var/myca
> > > % cd /var/myca/ 
> > > % /usr/share/ssl/misc/CA.sh -newca
> > > 
> > > % openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem 
> > > 
> > > % /usr/share/ssl/misc/CA.sh -sign 
> > > 
> > > % cp demoCA/cacert.pem /usr/var/openldap-data/cacert.pem 
> > > % mv newcert.pem /usr/var/openldap-data/servercrt.pem 
> > > % mv newreq.pem /usr/var/openldap-data/serverkey.pem 
> > > % chmod 400 /usr/var/openldap-data/serverkey.pem 
> > > 
> > > 
> > > 
> > > - I created certs to my client:
> > > % openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem 
> > > % /usr/share/ssl/misc/CA.sh -sign 
> > > 
> > > % cp demoCA/cacert.pem /usr/var/openldap-data/cacert.pem 
> > > % mv newcert.pem /usr/var/openldap-data/servercrt.pem 
> > > % mv newreq.pem /usr/var/openldap-data/serverkey.pem 
> > > % chmod 400 /usr/var/openldap-data/serverkey.pem 
> > > 
> > > 
> > > % mv newcert.pem /home/user/certs/ldap.client.pem 
> > > % mv newreq.pem /home/user/certs/keys/ldap.client.key.pem 
> > > % chmod 400 /home/user/certs/keys/ldap.client.key.pem 
> > > 
> > > 
> > > 
> > > - In my slapd.conf:
> > > TLSCipherSuite HIGH:MEDIUM:+SSLv2
> > > TLSCACertificateFile /tmp/ssl/SSL/cacert.pem
> > > TLSCertificateFile /tmp/ssl/SSL/servercrt.pem
> > > TLSCertificateKeyFile /tmp/ssl/SSL/serverkey.pem
> > > 
> > > 
> > > 
> > > - Im my radiusd.conf:
> > > 		start_tls=no
> > >                 tls_cacertfile = /tmp/ssl/SSL/cacert.pem
> > >                 tls_cacertdir = /tmp/ssl/SSL
> > >                 port=636
> > >                 #tls_certfile = /tmp/ssl/SSL/ldap.client.pem
> > >                 #tls_keyfile = /tmp/ssl/SSL/ldap.client.key.pem
> > > 
> > > 
> > > 
> > > 
> > > - I make a test with this config below:
> > >                 start_tls=no
> > >                 tls_cacertfile = /tmp/ssl/SSL/cacert.pem
> > >                 tls_cacertdir = /tmp/ssl/SSL
> > >                 port=636
> > >                 tls_certfile = /tmp/ssl/SSL/ldap.client.pem
> > >                 tls_keyfile = /tmp/ssl/SSL/ldap.client.key.pem
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > On Fri, 14 Jan 2005, Dieter Kluenter wrote:
> > > 
> > > > Anderson Alves de Albuquerque <anderson@belem.voip.nce.ufrj.br> writes:
> > > > 
> > > > >   I use my RADIUS make authentication in LDAP server, but I have a 
> > > > > problema that I describe below.
> > > > >
> > > > >   I created the certificates with 
> > > > > http://www.freeradius.org/radiusd/doc/rlm_ldap. And I put in my
> > > > >  radiusd.conf the configs below, but I have problems. 
> > > > 
> > > > [...]
> > > > > tls_read: want=5, got=5
> > > > >   0000:  15 03 01 00 02                                     .....
> > > > > tls_read: want=2, got=2
> > > > >   0000:  02 30                                              .0
> > > > > TLS: can't accept.
> > > > > TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> > > > > /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1052
> > > > > ^Cslapd shutdown: waiting for 0 threads to terminate
> > > > > slapd stopped.
> > > > 
> > > > You did not describe how you created your certificates, but the log
> > > > clearly says that the CA is unknown. This is a good document on
> > > > creating certificates
> > > > http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
> > > > 
> > > > -Dieter
> > > > 
> > > > 
> > 
> > 
-- 
Samuel Tran <stran@amnh.org>
Systems Administration - Information Technology
American Museum of Natural History
(P) 212-313-7231

Attachment: signature.asc
Description: This is a digitally signed message part

References:
- Re: LDAP + RADIUS + SSL
  - From: Anderson Alves de Albuquerque <anderson@belem.voip.nce.ufrj.br>

Prev by Date: SmartCard Support
Next by Date: Re: LDAP + RADIUS
Index(es):
- Chronological
- Thread