[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Client says Can't contact LDAP server, but it can!

To: openldap-technical@openldap.org
Subject: Re: Client says Can't contact LDAP server, but it can!
From: John Oliver <joliver@john-oliver.net>
Date: Mon, 28 Jul 2008 12:35:12 -0700
Content-disposition: inline
In-reply-to: <1256243B1A70F62BA37779D4@[192.168.1.199]>
References: <20080721153002.GA12884@ns.sdsitehosting.net> <200807251021.05245.bgmilne@staff.telkomsa.net> <20080725151612.GC29344@ns.sdsitehosting.net> <200807280920.33142.bgmilne@staff.telkomsa.net> <20080728183054.GA23107@ns.sdsitehosting.net> <1256243B1A70F62BA37779D4@[192.168.1.199]>
User-agent: Mutt/1.4.2.2i

On Mon, Jul 28, 2008 at 11:55:28AM -0700, Quanah Gibson-Mount wrote:
> --On Monday, July 28, 2008 11:30 AM -0700 John Oliver 
> <joliver@john-oliver.net> wrote:
> 
> >On Mon, Jul 28, 2008 at 09:20:23AM +0200, Buchan Milne wrote:
> >>Or, ensure that the "CA certificate" that the clients use contains the
> >>certificates of the issuer of both of the server certificates, and that
> >>the  value of the subject CN on both certificates matches the name you
> >>use to  connect to the servers.
> >
> >I've tried:
> >
> >openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout
> >server.pem -days 3650
> 
> This generates a self-signed cert without a CA.  That's part of the root of 
> your problem.  By your own email, you have no concept of how SSL signing 
> and authority works.  Yet you reject the advice that's been given out of 
> hand.  Go back to the link I sent you, and set up your certs correctly, 
> which a valid self-generated CA, or do as others have suggested, stop using 
> SSL until you understand how it works.

I'm sorry, I'll try to be clearer.  You're absolutely right in that I
don't understand the intricacies of SSL.  I fully understand that's a
big part of the problem.  But the issue in front of me is that I have a
current setup that works.  I'm trying to get that same functionality out
of a second server.  You seem to be saying that self-signed certificates
just will not work, but that clearly isn't the case... the currently working
system uses a self-signed cert, and works perfectly.  I understand
that's far from ideal.  But authentication *works*.  At some point, when
I have time, I'd love to learn enough about this to create a working CA,
and generate certificates with it, and do everything "right".  But if I
try to do this "right", right now, I'm far more likely to wind up with
no working authentication at all.

-- 
***********************************************************************
* John Oliver                             http://www.john-oliver.net/ *
*                                                                     *
***********************************************************************

References:
- Client says Can't contact LDAP server, but it can!
  - From: John Oliver <joliver@john-oliver.net>
- Re: Client says Can't contact LDAP server, but it can!
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>
- Re: Client says Can't contact LDAP server, but it can!
  - From: John Oliver <joliver@john-oliver.net>
- Re: Client says Can't contact LDAP server, but it can!
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>
- Re: Client says Can't contact LDAP server, but it can!
  - From: John Oliver <joliver@john-oliver.net>
- Re: Client says Can't contact LDAP server, but it can!
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: Client says Can't contact LDAP server, but it can!
Next by Date: Re: Client says Can't contact LDAP server, but it can!
Index(es):
- Chronological
- Thread