On Mon, 2005-11-14 at 11:25 -0800, Daniel B. Thurman wrote: > I think there is a perhaps a problem in the way I have > created ssl certificates and may not have done it properly. > I would like to request instructions for creating the slapd.pem > file please? I used to do this the old way and had a hard > time trying to seperate the CA cert, unsigned cert/key and > signed certs - so I dont know which one to use for ldap! ---- this is what I use...YMMV #### generate openldap certificate #### openssl req -config /usr/share/ssl/openssl.cnf -new -x509 -days 3650 \ -key ca.key -out ca.cert openssl genrsa -out ldap.key 1024 openssl req -config /usr/share/ssl/openssl.cnf -new -key ldap.key \ -out ldap.csr openssl x509 -req -in ldap.csr -out ldap.cert -CA ca.cert -CAkey \ ca.key -CAcreateserial -days 3650 cp ca.cert /etc/ssl cp ca.key /etc/ssl cp ldap.key /etc/ssl cp ldap.csr /etc/ssl ---- > > I noticed that there has been a change from what I am used > to and that there is a new location for certificates and it is > at: /etc/pki/tls specifically. I tried all kinds of ways to > get this to work and it appears that for some reason, the ldap > programs is unable to find the certificate. > > I added TLS* directives in /etc/ldap.conf and in > /etc/openldap/slapd.conf (why the redunancy?) and put my created > certs in the /etc/openldap/cacerts directory. > > It appears from the ldapsearch debug output, that it will > only search for certificates in /etc/pki/tls directory and > in *maybe* in /etc/openldap/cacerts (see the '#' in front > of that directory in the debug output. From the debug output, > it is not clear as to WHAT dir/file was attempted to be opened. ---- there is the server certs and the client certs and the CA - they are not necessarily the same. The server certs are as directed in /etc/openldap/slapd.conf and the client certs in typically in ldap.conf (perhaps both /etc/ldap.conf and /etc/openldap/ldap.conf) as the former is for padl stuff and the latter is for openldap client stuff such as ldapsearch ---- > > Here is the debug output I got: > > # ldapsearch -d -1 -H ldaps://ldap.cdkkt.com -b dc=cdkkt,dc=com -x > ldap_create > ldap_url_parse_ext(ldaps://ldap.cdkkt.com) > ldap_bind_s > ldap_simple_bind_s > ldap_sasl_bind_s > ldap_sasl_bind > ldap_send_initial_request > ldap_new_connection > ldap_int_open_connection > ldap_connect_to_host: TCP ldap.cdkkt.com:636 > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying 216.99.218.205:636 > ldap_connect_timeout: fd: 3 tm: -1 async: 0 > ldap_ndelay_on: 3 > ldap_is_sock_ready: 3 > ldap_ndelay_off: 3 > TLS: could not load client CA list (file:`',dir:`/etc/pki/tls/slapd.pem # /etc/openldap/cacerts'). > TLS: error:0200A002:system library:opendir:No such file or directory ssl_cert.c:752 > TLS: error:140D7002:SSL routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:754 > ldap_perror > ldap_bind: Can't contact LDAP server (-1) > > So what does it all mean? What file was attempted and why is it > that my TLS* directives are seemingly ignored in both places > specificed in /etc/ldap.conf and in /etc/openldap/slapd.conf? ---- I don't know...I'm not one to debug openssl ---- > > I even copied to put my certificate in /etc/pki/tls/slapd.pem > since no slapd.pem existed there and oddly enough, a slapd.pem > did exists in: /etc/pki/tls/certs/slapd.pem - supposedly created > when I setup kerberos! > > Something is royally screwed up somewhere! Please help! ---- You might want to contact ldap@xxxxxxxxx or ldap-interop list http://lists.fini.net/mailman/listinfo/ldap-interop You also might want to look through Turbo's guide (software projects) http://www.bayour.com/ Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
