[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Enabling TLS problem on openldap2-2.3.39
Be default, the SLES 9.3 slapd.conf defines the CA Cert like this:
TLSCACertificatePath /etc/ssl/certs
That directory has lots of pem files in it with x509 symbolic links:
ls -C /etc/ssl/certs
Password:
052eae11.0 6f5d9899.0 d4e39186.0 ICE-root.pem timCA.pem
18d46017.0 73912336.0 ddc328ff.0 ICE-user.pem tjhCA.pem
1e49180d.0 7651b327.0 dsa-ca.pem ICP-Brasil.pem vsign1.pem
1ef89214.0 8c401b31.0 dsa-pca.pem nortelCA.pem vsign2.pem
1f6c59cd.0 8caad35e.0 Equifax-root1.pem pca-cert.pem vsign3.pem
24867d38.0 91b8190d.0 expired RegTP-4R.pem vsignss.pem
2edf7016.0 a99c5886.0 f3e90025.0 RegTP-5R.pem vsigntca.pem
3ecf89a3.0 adbec561.0 f73e89fd.0 RegTP-6R.pem YaST-CA.pem
594f1775.0 b5f329fa.0 factory.pem rsa-cca.pem
69ea794f.0 c33a80d4.0 ICE-CA.pem thawteCb.pem
6bee6be3.0 ca-cert.pem ICE.crl thawteCp.pem
I think CA certs is set up correctly. Am I wrong about that?
Do I have to move /etc/openldap/server.{crt,key} to /etc/ssl/certs?
Do I have to create turn /etc/openldap/server.{crt,key} into a .pem
file?
Do I have to create x509 symbolic links from
/etc/openldap/server.{crt,key} to /etc/ssl/certs?
Thanks for your help.
----
Not all who wander are lost.
| ---- ___o | chuck.keagle@boeing.com
Chuck Keagle | ------- \ <, | Work: (425) 865-1488
Enterprise Servers: HPC | ----- ( )/ ( ) | Cell: (425) 417-3434
> -----Original Message-----
> From: Quanah Gibson-Mount [mailto:quanah@zimbra.com]
> Sent: Friday, November 16, 2007 6:28 PM
> To: Keagle, Chuck; openldap-software@openldap.org
> Subject: Re: Enabling TLS problem on openldap2-2.3.39
>
> --On Friday, November 16, 2007 5:01 PM -0800 "Keagle, Chuck"
> <chuck.keagle@boeing.com> wrote:
>
> > I'm configuring slapd to use TLS. First I just want to
> make it work,
> > then I'll go into requiring encryption.
> >
> > The system is SLES 9.3
> > The openldap2 is 2.3.39
> > Other certifictes are in /etc/ssl/certs as specified by default in
> > slapd.conf for openldap2 2.3.39.
> >
> > The database is currently empty, just getting started.
> >
> > Generated a self-signed x509 certificate
> > cd /etc/openldap
> > openssl genrsa 1024 >server.key
> > chmod 0440 server.key
> > chown root:ldap server.key
> > openssl req -new -key server.key -x509 -days 100 -out server.crt
> > Entered all the important stuff
> > chmod 0444 server.crt
> >
> > Checked certificate and it looked acceptable
> > openssl x509 -text -in server.crt
> >
> > Changed following lines in slapd.conf:
> > TLSCertificateFile /etc/openldap/server.crt
> > TLSCertificateKeyFile /etc/openldap/server.key
>
>
> You failed to set the CA Cert directive in slapd.conf, so it
> has no way of presenting its CA cert.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>