Hello Aaron, On 04/13/2011 09:07 PM, Aaron Richton wrote:
I don't know if I understood you or I didn't make myself clear on that point. I created a CA in the server and the copied the file to the client, is that wrong?On Wed, 13 Apr 2011, Judith Flo Gaya wrote:I see, I also have those files that you mention... I created my own CA as lots of tutorials explain.. Then I transmitted it to the clients and used it in the ldap.conf file. Do you suggest me to send those to the server and use them instead of the ones I generated with openssl?Well, you'll need the CA on the client to match the CA that signed the server's certificate. In other words...if you generated your own CA for both the client and the server, trust issues would be completely expected...
I was talking about the operating system, for some reason I think that having red hat (with openldap compiled using openssl) and clients with fedora (openldap compiled against moznss) created my problems. Now that you said that this is your case (I think) then it may be something related to... I don't know what.What's your server?OpenLDAP software is on both sides of the equation; it's just that some clients are NSS, some clients are OpenSSL, some clients are GnuTLS, while ALL servers are OpenSSL.
Yes, I totally agree, that's why I setup my own openldap installation and only care about ldapsearch working, then when ldapsearch finally worked, then I start looking at the user auth part, changing passw, etc.. as this part wasn't working and it appear to be a moznss problem, I got stuck... until you arrived, I will try what you suggest about using the pki certs instead of the openssl ones..Well my final problem were not ldapsearch but the user autenticacion. The ldapsaerch showed the whole ldap definitions but if I try to ssh with an ldap user to the machine, I get some TLS negotiation problem ;( That's when I was told that the problem may be caused by the implementation of the ldap client (with moznss support).Well, when troubleshooting, it's often easiest to look with a narrow scope. Using OpenLDAP software, such as ldapsearch(1) and ldapwhoami(1), will probably offer a better debugging platform than an ssh implementation? One step at a time...
Thanks a lot for the suggestion, hope this finally fix the issue. j