[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fedora and openldap





On 04/13/2011 04:37 PM, Rich Megginson wrote:


Also post the output of
openssl x509 -in /path/to/the/server-cert.pem -text
# # openssl x509 -in /etc/openldap/cacerts/curri3-cert.pem -text
Certificate:
     Data:
         Version: 1 (0x0)
         Serial Number: 1 (0x1)
         Signature Algorithm: sha1WithRSAEncryption
         Issuer: C=ES, ST=Barcelona, L=Badalona, O=company, OU=linux,
CN=server.fdqn/emailAddress=jflo@imppc.org
         Validity
             Not Before: Apr 12 15:55:56 2011 GMT
             Not After : Jan  6 15:55:56 2014 GMT
         Subject: C=ES, ST=Barcelona, L=Badalona, O=company, OU=linux,
CN=client.fdqn/emailAddress=jflo@imppc.org
I notice that the format of the Issuer here does not match the format of
the Subject, but that may be just a difference in the way moznss and
openssl handle the "/emailAddress=...".  You could confirm by doing
openssl x509 -in /path/to/cacert.pem -text

I don't know - I don't see anything obviously wrong here.
I'm just following the steps, I no longer know what to do, but I'm afraid that I'm kind of stuck. As the server is a rhel6 its openldap is compiled against openssl, the clients are using openldap with moznss, so it looks like I'll be forced to recompile everything to either moznss or openssl but it looks very very complicated. I will try to make the setup from fedora to fedora with certificates and see if the tls communication is easier. if that works I think that I will abandon the setup with rh, I can afford spending more time on this, specially if you (that know a lot more than me) think that there's nothing wrong..

If you think this is a problem with openldap+moznss (that is, if you can
get it to work with openldap+openssl), please file a bug/its.
if I can give it a try later on, I'll do it.
Thanks,
j