Re: ldap + ssl confusion

[Philip Guenther <guenther+ldapsoft@sendmail.com>]

On Fri, 25 Jan 2008, Steve Pribyl wrote:
> I need some help understanding why thing are the way they are.
...
> All nodes keys are self authenticated, i.e. links to from hash.

("Self authenticated"?  You mean they're self-signed certificates?  What 
do you mean by "links to from hash"?)


> !!The Problem!!
> ldapsearch works to NodeB server, iff NodeB_key is present on NodeA
> slurpd works to NodeB server, iff NodeB_key is present on NodeA
>
> Node A - ldap master/client
> /etc/ldap/cacerts/NodeA_pub.pem
> /etc/ldap/cacerts/NodeB_pub.pem
> /etc/pki/tls/certs/NodeA_key.pem
> ldapsearch works to NodeA ldap server.
> /etc/pki/tls/certs/NodeB_key.pem <--Why is this required?
> ldapsearch works to NodeB server, iff NodeB_key is present on NodeA
> slurpd works to NodeB server, iff NodeB_key is present on NodeA

ldapsearch and slurpd need to verify the cert of the server that they 
talks to by checking its signature against the CA that signed it. 
Furthermore, the CA cert must be in its list of trusted CAs.  That's the 
cert itself for self-signed certs.  From the above, it appears that 
ldapsearch and slurpd use /etc/pki/tls/certs/ as the CA certs directory. 
I would guess that your system's OpenSSL uses that as its compiled in 
default.  That, or your ldap.conf or .ldaprc has a TLS_CACERTDIR line 
naming that directory.  (Don't know the ldap.conf path?  Check the 
manpage!)


> Node B - ldap slave/client
> /etc/ldap/cacerts/NodeA_pub.pem
> /etc/ldap/cacerts/NodeB_pub.pem
> /etc/pki/tls/certs/NodeB_key.pem
> ldapsearch works to all ldap servers.

So what's the ldap.conf and .ldaprc on node B look like?


> Node C - ldap client
> /etc/ldap/cacerts/NodeA_pub.pem
> /etc/ldap/cacerts/NodeB_pub.pem
> No Keys present
> ldapsearch works to all ldap servers.

Same question as node B.


Philip Guenther