I am running a samba/ldap server with openldap 2.3 and CentOS 5.2. I have got a fully functional, replicating, ldap environment which I am trying to secure with TLS. I have very probably read every how to for ldap and TLS on the internet but I can't seem to get it to work correctly. I have created a CA, server certificate, signed it, and I've used the make-dummy-cert self signed certificate, etc. I've tried a dozen different ways. When I run authconfig-tui and change my authentication to use TLS, I get the error message Error:PEM routines:PEM_read_bio:no start lineem_lib.c:644:Expecting: TRUSTED CERTIFICATE and it quits working.

So - can anyone instruct me on how to make this work correctly? Also - can anyone explain to me how the certificates work with multiple servers? Do I need a separate certificate for each server? Any information will be helpful - thanks.

Seriously?? No one out there is sucessfully running a secure samba ldap environment? I would REALLY appeciate some help on this or any input on how others are doing this...

In my experience, anything related to OpenLDAP absolutely refuses to work with self-signed certificates, and unfortunately most certificate HOW-TOs only tell you how to make a self-signed cert. You need to make sure the CN for the CA cert is not a hostname, however the CN for your server cert does need to be the FQDN of the machine.

Read the documentation for the config files to make sure they have an option that points either to a CA bundle file that includes your CA cert, or a directory that includes it (or figure out where the default bundle/path is and add your CA cert there).

Basically your cert is failing validation because it's not trusted, which is either because the CA isn't trusted, or the cert itself is self-signed.

Self signed certificates work just fine with OpenLDAP, you just need to make sure the root self-signed public certificate, typically named cacert.pem, makes it into the ca-bundle.crt file in the cacerts directory. And it will need to be placed in that file for all the servers contacting that OpenLDAP instance.

I discovered the real reason for why, when running authconfig, one might receive one or more "Expecting: TRUSTED CERTIFICATE" errors. If you've configured the linux box to use LDAP at all, authconfig will automatically "rehash" the certificate directory. (Check the ldap.conf file for TLS_CERT* lines). During the "rehash" operation, for every file in the certificate directory that is not a valid PEM certificate file, you will get that warning/error printed out.

So, in reality, this is not actually an error for authconfig, but it appears to be, and it's damned alarming.

Solution: remove all non-certificate files from that directory.

I had placed a host key file that I was allowing the LDAP user to read in my cacert directory, and then began receiving the error. Renaming that file to start with a '.' also eliminated the error from occurring.