Openlap + TLS not working due to certificate issues
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I am running a samba/ldap server with openldap 2.3 and CentOS 5.2. I have got a fully functional, replicating, ldap environment which I am trying to secure with TLS. I have very probably read every how to for ldap and TLS on the internet but I can't seem to get it to work correctly. I have created a CA, server certificate, signed it, and I've used the make-dummy-cert self signed certificate, etc. I've tried a dozen different ways. When I run authconfig-tui and change my authentication to use TLS, I get the error message Error:PEM routines:PEM_read_bio:no start lineem_lib.c:644:Expecting: TRUSTED CERTIFICATE and it quits working.
So - can anyone instruct me on how to make this work correctly? Also - can anyone explain to me how the certificates work with multiple servers? Do I need a separate certificate for each server? Any information will be helpful - thanks.
Seriously?? No one out there is sucessfully running a secure samba ldap environment? I would REALLY appeciate some help on this or any input on how others are doing this...
Distribution: OpenBSD 4.5-beta, OS X 10.5.6, CentOS 4 & 5
Posts: 3,631
Thanked: 14
In my experience, anything related to OpenLDAP absolutely refuses to work with self-signed certificates, and unfortunately most certificate HOW-TOs only tell you how to make a self-signed cert. You need to make sure the CN for the CA cert is not a hostname, however the CN for your server cert does need to be the FQDN of the machine.
Read the documentation for the config files to make sure they have an option that points either to a CA bundle file that includes your CA cert, or a directory that includes it (or figure out where the default bundle/path is and add your CA cert there).
Basically your cert is failing validation because it's not trusted, which is either because the CA isn't trusted, or the cert itself is self-signed.
self-signed certs work with Open LDAP + fix for Expecting: TRUSTED CERTIFICATE
Self signed certificates work just fine with OpenLDAP, you just need to make sure the root self-signed public certificate, typically named cacert.pem, makes it into the ca-bundle.crt file in the cacerts directory. And it will need to be placed in that file for all the servers contacting that OpenLDAP instance.
I discovered the real reason for why, when running authconfig, one might receive one or more "Expecting: TRUSTED CERTIFICATE" errors. If you've configured the linux box to use LDAP at all, authconfig will automatically "rehash" the certificate directory. (Check the ldap.conf file for TLS_CERT* lines). During the "rehash" operation, for every file in the certificate directory that is not a valid PEM certificate file, you will get that warning/error printed out.
So, in reality, this is not actually an error for authconfig, but it appears to be, and it's damned alarming.
Solution: remove all non-certificate files from that directory.
I had placed a host key file that I was allowing the LDAP user to read in my cacert directory, and then began receiving the error. Renaming that file to start with a '.' also eliminated the error from occurring.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
em_lib.c:644:Expecting: TRUSTED CERTIFICATE and it quits working. 
self-signed certs work with Open LDAP + fix for Expecting: TRUSTED CERTIFICATE
