>From: fedora-list-bounces@xxxxxxxxxx >[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Craig White >Sent: Monday, November 14, 2005 11:58 AM >To: For users of Fedora Core releases >Subject: RE: LDAP SSL Problems (was: service script (/etc/init.d/ldap)) > > >On Mon, 2005-11-14 at 11:25 -0800, Daniel B. Thurman wrote: > >> I think there is a perhaps a problem in the way I have >> created ssl certificates and may not have done it properly. >> I would like to request instructions for creating the slapd.pem >> file please? I used to do this the old way and had a hard >> time trying to seperate the CA cert, unsigned cert/key and >> signed certs - so I dont know which one to use for ldap! >---- >this is what I use...YMMV > >#### generate openldap certificate #### >openssl req -config /usr/share/ssl/openssl.cnf -new -x509 -days 3650 \ >-key ca.key -out ca.cert >openssl genrsa -out ldap.key 1024 >openssl req -config /usr/share/ssl/openssl.cnf -new -key ldap.key \ >-out ldap.csr >openssl x509 -req -in ldap.csr -out ldap.cert -CA ca.cert -CAkey \ >ca.key -CAcreateserial -days 3650 >cp ca.cert /etc/ssl >cp ca.key /etc/ssl >cp ldap.key /etc/ssl >cp ldap.csr /etc/ssl >---- >> >> I noticed that there has been a change from what I am used >> to and that there is a new location for certificates and it is >> at: /etc/pki/tls specifically. I tried all kinds of ways to >> get this to work and it appears that for some reason, the ldap >> programs is unable to find the certificate. >> >> I added TLS* directives in /etc/ldap.conf and in >> /etc/openldap/slapd.conf (why the redunancy?) and put my created >> certs in the /etc/openldap/cacerts directory. >> >> It appears from the ldapsearch debug output, that it will >> only search for certificates in /etc/pki/tls directory and >> in *maybe* in /etc/openldap/cacerts (see the '#' in front >> of that directory in the debug output. From the debug output, >> it is not clear as to WHAT dir/file was attempted to be opened. >---- >there is the server certs and the client certs and the CA - >they are not >necessarily the same. The server certs are as directed >in /etc/openldap/slapd.conf and the client certs in typically in >ldap.conf (perhaps both /etc/ldap.conf and /etc/openldap/ldap.conf) as >the former is for padl stuff and the latter is for openldap >client stuff >such as ldapsearch >---- >> >> Here is the debug output I got: >> >> # ldapsearch -d -1 -H ldaps://ldap.cdkkt.com -b dc=cdkkt,dc=com -x >> ldap_create >> ldap_url_parse_ext(ldaps://ldap.cdkkt.com) >> ldap_bind_s >> ldap_simple_bind_s >> ldap_sasl_bind_s >> ldap_sasl_bind >> ldap_send_initial_request >> ldap_new_connection >> ldap_int_open_connection >> ldap_connect_to_host: TCP ldap.cdkkt.com:636 >> ldap_new_socket: 3 >> ldap_prepare_socket: 3 >> ldap_connect_to_host: Trying 216.99.218.205:636 >> ldap_connect_timeout: fd: 3 tm: -1 async: 0 >> ldap_ndelay_on: 3 >> ldap_is_sock_ready: 3 >> ldap_ndelay_off: 3 >> TLS: could not load client CA list >(file:`',dir:`/etc/pki/tls/slapd.pem # /etc/openldap/cacerts'). >> TLS: error:0200A002:system library:opendir:No such file or >directory ssl_cert.c:752 >> TLS: error:140D7002:SSL >routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:754 >> ldap_perror >> ldap_bind: Can't contact LDAP server (-1) >> >> So what does it all mean? What file was attempted and why is it >> that my TLS* directives are seemingly ignored in both places >> specificed in /etc/ldap.conf and in /etc/openldap/slapd.conf? >---- >I don't know...I'm not one to debug openssl >---- >> >> I even copied to put my certificate in /etc/pki/tls/slapd.pem >> since no slapd.pem existed there and oddly enough, a slapd.pem >> did exists in: /etc/pki/tls/certs/slapd.pem - supposedly created >> when I setup kerberos! >> >> Something is royally screwed up somewhere! Please help! >---- >You might want to contact ldap@xxxxxxxxx or ldap-interop list >http://lists.fini.net/mailman/listinfo/ldap-interop > >You also might want to look through Turbo's guide (software projects) > >http://www.bayour.com/ > >Craig > > Um, I tried your method for creating certs and it does not work in FC4 - I think you might be surprised that the "old way of doing things" has changed. This is what I was trying to tell you earlier. First off, there is no /etc/ssl directory - I think this is now /etc/pki Second, the openssl is looking for /usr/share/ssl/openssl.cnf of which /etc/share/ssl is no longer there. I think they moved things around so that openssl.cnf is now in /etc/pki/tls so in order to get openssl to work, you may now need to define where the openssl.cnf file on the command line. openssl is probably being moved around. I have NO CLUE what is going on with openssl and FC4 - perhaps it is still a work in progress. dunno. Another thing, when I was doing kerberos and got it running, there is a definite bug in /etc/init.d/ldap, line 74 where kinit was not found. The '$' was missing so that it should be $kinit and not stand-alone kinit since the script does not have the full pathname to kinit. FC4 has a little ways to go to get things right again... sigh. I will play around some more before I give it up altogther. Thanks for your help tho! Dan -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.0/167 - Release Date: 11/11/2005
