LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices

Reply
 
Search this Thread
Old 05-31-2012, 01:08 PM   #1
dgodbey
LQ Newbie
 
Registered: Jan 2006
Location: Bel Air MD
Distribution: Fedora
Posts: 16

Rep: Reputation: 1
Fedora 16 ldapsearch client via ssl won't work


I have installed Fedora 16 and yummed openldap client (ldapsearch version 2.4.26). The ldapsearch won't work for ssl, and I'm thinking that I must be missing something.

So:
This works:
ldapsearch -x -H ldap://xxxx:389 -b 'ou=xxx,dc=xxx,dc=gxxxov' "(& (givenName=firstname)(sn=lastname))"

but this:
ldapsearch -x -H ldaps://xxxx:636 -b 'ou=xxx,dc=xxx,dc=gxxxov' "(& (givenName=firstname)(sn=lastname))"

Returns ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I have an older server running Fedora 11 (ldapsearch version 2.4.15) where this works fine.

The directory server has a trusted cert, and it is not a firewall problem. Further, the newer server is running a java process (Liferay portal) that is authenticating to this very same directory over ssl.

SELinux is disabled.

What am I missing?
Thanks,
Dave
 
Old 05-31-2012, 11:44 PM   #2
stoggy
Member
 
Registered: Jun 2008
Location: Dallas, TX
Distribution: Slackware and FC
Posts: 104

Rep: Reputation: 20
can you telnet to host on port 636?

telnet hostname_or_IP 636


maybe iptables is in the way? Also check the server is listening on port 636, maybe its on a non-standard port?


netstat -natpud | grep 636
 
Old 06-01-2012, 07:16 AM   #3
dgodbey
LQ Newbie
 
Registered: Jan 2006
Location: Bel Air MD
Distribution: Fedora
Posts: 16

Original Poster
Rep: Reputation: 1
I have an older server that has no problem authenticating to the directory. Telnet to 636 yes. I'm wondering if when installing Fedora 16 from media, did it install the necessary CA certs for apache? Has that part of installation changed?

Perhaps I should post this in an apache or openldap group? More related to openldap and apache than Fedora 16 perhaps.
 
Old 06-01-2012, 07:18 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,384

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
If you really are reaching the port, I would look at the SSL conversation occurring using Wireshark.
 
Old 06-01-2012, 10:17 AM   #5
dgodbey
LQ Newbie
 
Registered: Jan 2006
Location: Bel Air MD
Distribution: Fedora
Posts: 16

Original Poster
Rep: Reputation: 1
I have found the solution. To ldap.conf file, add this:
TLS_CACERT /etc/pki/tls/cert.pem

Fedora 16 installer ootb put that cert.pem there for me. I just needed to show openldap the way. Interesting that my older server running Fedora 11 doesn't have this entry in ldap.conf. Strange.

Happily my Apache authenticating to this directory also started working with this change, so I'm doubly happy, and earned myself an extra gin gimlet tonight!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Fedora 16 Apache SSL Certificates: authorization based on name of client or email address goral09 Linux - Newbie 0 05-14-2012 04:24 AM
How to import/use CAcert SSL root certificate to use SSL with Xchat IRC client? GrapefruiTgirl Linux - Software 9 04-05-2011 09:54 AM
Option user-class on DHCP client won't work Khanye Linux - Networking 2 03-01-2007 06:54 AM
Searching for FTP SSL command line client for Fedora chipix Linux - Security 4 06-27-2006 08:47 AM
SuSE 9.1 won't connect through Windows XP ICS and Samba client doesn't work papa Strumpf Linux - Networking 0 08-21-2004 09:16 AM


All times are GMT -5. The time now is 07:03 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration