[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and TLS



You would only specify the CA file if your wildcard file contains the root CA chain.  Otherwise it is also advisable to download your root CA chain file, and specify it with the olcTLSCACertificateFile directive.  To clarify for you, your certificate file is NOT a CA file.  The CA files are root files you get from your issuing Certificate Authority.


On Fri, Jun 14, 2013 at 3:44 PM, Dan White <dwhite@olp.net> wrote:
On 06/14/13 16:28 -0400, Rodney Simioni wrote:
So you are saying remove those TLS lines from /etc/openldap/ldap.conf and put them in the ldif file as:

olcTLSCACertificateFile: /etc/openldap/cacerts/wildcard.securesites.com.cert
olcTLSCertificateFile: /etc/openldap/cacerts/wildcard.securesites.com.csr
olcTLSCertificateKeyFile: /ect/openldap/cacerts/wildcard.securesites.com.key ?

Please consult the documentation, and a primer on TLS. Your
olcTLSCACertificateFile line probably shouldn't be there. The other two
look reasonable.


-----Original Message-----
From: Dan White [mailto:dwhite@olp.net]
Sent: Friday, June 14, 2013 4:05 PM
To: Rodney Simioni
Cc: openldap-technical@openldap.org
Subject: Re: LDAP and TLS

On 06/14/13 15:56 -0400, Rodney Simioni wrote:
I did a 'openssl x509 -in wildcard.securesites.com.cert -text -noout'

I got 'CN=*.securesites.com'

My /etc/openldap/cacerts looks like:

TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/wildcard.securesites.com.cert
URI ldap://fl1-lsh99apa007.securesites.com/
BASE dc=wh,dc=local

That looks like an ldap.conf file. Your certificate should be configured within your slapd config and not your client config, unless it is a self signed certificate.

See the manpage for slapd.conf or slapd-config, and the Admin Guide for the appropriate TLS config.

But when I do a ' ldapsearch -d -1 -x -LLL -ZZ', I get:

ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP fl1-lsh99apa007.securesites.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.227.2.90:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)

-----Original Message-----
From: Dan White [mailto:dwhite@olp.net]
Sent: Friday, June 14, 2013 3:45 PM
To: Rodney Simioni
Cc: openldap-technical@openldap.org
Subject: Re: LDAP and TLS

On 06/14/13 14:42 -0400, Rodney Simioni wrote:
Hi,

In order to for LDAP to work with TLS, does the certificate names need
to match the server name?

My admin gave me a certificate but it's called wildcard.com.cert, the
name of my server is not 'wildcard'.

Analyze the contents of the cert and verify the CN is really '*.example.com':

openssl x509 -in wildcard.com.cert -text -noout

If so, then your LDAP clients probably will accept it as a valid
certificate (this typically works for web browsers), but your mileage
may vary.

We have worked with a wild card certificate provider before. In
addition to offering a *.example.com cert, they may also offer a
certain number of tertiary certificates (e.g. ldap.example.com) priced
in with the wild card cert.

--
Dan White


This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free.  Thank you.


--
Dan White
BTC Broadband
Network Admin Lead
Ph  918.366.0248 (direct)   main: (918)366-8000
Fax 918.366.6610            email: dwhite@olp.net
http://www.btcbroadband.com




--
Jason K. Brandt
Systems Administrator
Bradley University
(309) 677-2958