TLS Error with LDAP Cert
Hello all,
I am trying to enable TLS on our LDAP server. When I test with the server I get : Code:
ldapsearch -x -b "dc=example,dc=com" -ZZ Code:
ldapsearch -x -b "dc=example,dc=com" -ZZ Thanks! |
The error message says it all: The certificate issuer is not in the list of trusted certificate authorities on the client system.
How did you obtain or generate the certificate? |
Also ensure CN of your server certificate match actual name of your ldap server.
Thanks |
I created the cert :
Code:
[root@ldap-01 certs]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/ldap.pem -keyout /etc/pki/tls/certs/ldapkey.pem -days 3650 Code:
[root@ldap-01 certs]# cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif | grep olcTLSCertificate Code:
[root@nr-client cacerts]# wget http://10.0.32.58/ldap.pem Code:
[root@ldap-01 cacerts]# LDAPTLS_CACERTDIR=/etc/openldap/cacerts ldapsearch -d 1 -xLLL -s base -b "" Code:
[root@ldap-01 openldap]# hostname |
Continuing to troubleshoot this, I managed to find some other steps that MIGHT have been missing?
On the server I created a CA cert and then used that to sign my ldap.pem file : Code:
CREATE CA Code:
LDAPTLS_CACERTDIR=/etc/pki/CA/newcerts/ ldapsearch -d 1 -xLLL -s base -b "" Code:
LDAPTLS_CACERTDIR=/etc/openldap/cacerts ldapsearch -d 1 -xLLL -s base -b "" Thoughts? Thanks! |
A client validates an X.509 certificate by checking the cryptographic signature. To do this, the client must be able to access the issuer's certificate, and the issuer of the issuer's certificate, and so on all the way up to the top of the chain (the root CA).
Validation may fail for several reasons:
You're generating your own certificates with openssl. Such certificates can be validated by precisely no-one. When using X.509 certificates, you'll either have to use certificates issued by a CA participating in the PKI infrastructure on the Internet (which means paying for every certificate), create your own public key infrastructure and distribute root certificates manually to all clients, or disable certificate validation altogether. |
How would I go about disabling certificate validation?
|
Have you seen this thread on stackoverflow.com?
Apparently, adding "TLS_REQCERT ALLOW" to the local or global configuration file will disable certificate verification. I haven't tried it myself, though. |
Not sure if it helps but I've been playing with 389 all weekend and I setup the ssl using this script.
https://github.com/richm/scripts/blo...r/setupssl2.sh Lazy I know but until I understand 389 better I'd rather use it. |
Ser Olmy, I did try that originally and that failed me (Just to make the new LDAP more confusing...)
I'll give that a shot andrew! thanks! |
I am now getting a different error... maybe a good thing?
additional info: TLS error -8157:Certificate extension not found |
All times are GMT -5. The time now is 11:50 PM. |