[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Client says Can't contact LDAP server, but it can!
On Mon, Jul 28, 2008 at 11:55:28AM -0700, Quanah Gibson-Mount wrote:
> --On Monday, July 28, 2008 11:30 AM -0700 John Oliver
> <joliver@john-oliver.net> wrote:
>
> >On Mon, Jul 28, 2008 at 09:20:23AM +0200, Buchan Milne wrote:
> >>Or, ensure that the "CA certificate" that the clients use contains the
> >>certificates of the issuer of both of the server certificates, and that
> >>the value of the subject CN on both certificates matches the name you
> >>use to connect to the servers.
> >
> >I've tried:
> >
> >openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout
> >server.pem -days 3650
>
> This generates a self-signed cert without a CA. That's part of the root of
> your problem. By your own email, you have no concept of how SSL signing
> and authority works. Yet you reject the advice that's been given out of
> hand. Go back to the link I sent you, and set up your certs correctly,
> which a valid self-generated CA, or do as others have suggested, stop using
> SSL until you understand how it works.
I'm sorry, I'll try to be clearer. You're absolutely right in that I
don't understand the intricacies of SSL. I fully understand that's a
big part of the problem. But the issue in front of me is that I have a
current setup that works. I'm trying to get that same functionality out
of a second server. You seem to be saying that self-signed certificates
just will not work, but that clearly isn't the case... the currently working
system uses a self-signed cert, and works perfectly. I understand
that's far from ideal. But authentication *works*. At some point, when
I have time, I'd love to learn enough about this to create a working CA,
and generate certificates with it, and do everything "right". But if I
try to do this "right", right now, I'm far more likely to wind up with
no working authentication at all.
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************