LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 12-18-2008, 03:07 PM   #1
pazzport
Member
 
Registered: Dec 2004
Posts: 47

Rep: Reputation: 16
Openlap + TLS not working due to certificate issues


I am running a samba/ldap server with openldap 2.3 and CentOS 5.2. I have got a fully functional, replicating, ldap environment which I am trying to secure with TLS. I have very probably read every how to for ldap and TLS on the internet but I can't seem to get it to work correctly. I have created a CA, server certificate, signed it, and I've used the make-dummy-cert self signed certificate, etc. I've tried a dozen different ways. When I run authconfig-tui and change my authentication to use TLS, I get the error message Error:PEM routines:PEM_read_bio:no start lineem_lib.c:644:Expecting: TRUSTED CERTIFICATE and it quits working.

So - can anyone instruct me on how to make this work correctly? Also - can anyone explain to me how the certificates work with multiple servers? Do I need a separate certificate for each server? Any information will be helpful - thanks.
 
Old 12-30-2008, 12:57 AM   #2
pazzport
Member
 
Registered: Dec 2004
Posts: 47

Original Poster
Rep: Reputation: 16
Seriously?? No one out there is sucessfully running a secure samba ldap environment? I would REALLY appeciate some help on this or any input on how others are doing this...
 
Old 12-30-2008, 01:27 AM   #3
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
In my experience, anything related to OpenLDAP absolutely refuses to work with self-signed certificates, and unfortunately most certificate HOW-TOs only tell you how to make a self-signed cert. You need to make sure the CN for the CA cert is not a hostname, however the CN for your server cert does need to be the FQDN of the machine.

Read the documentation for the config files to make sure they have an option that points either to a CA bundle file that includes your CA cert, or a directory that includes it (or figure out where the default bundle/path is and add your CA cert there).

Basically your cert is failing validation because it's not trusted, which is either because the CA isn't trusted, or the cert itself is self-signed.
 
Old 03-30-2009, 05:24 PM   #4
5mi11er
LQ Newbie
 
Registered: Aug 2004
Posts: 14

Rep: Reputation: 0
Lightbulb self-signed certs work with Open LDAP + fix for Expecting: TRUSTED CERTIFICATE

Self signed certificates work just fine with OpenLDAP, you just need to make sure the root self-signed public certificate, typically named cacert.pem, makes it into the ca-bundle.crt file in the cacerts directory. And it will need to be placed in that file for all the servers contacting that OpenLDAP instance.

I discovered the real reason for why, when running authconfig, one might receive one or more "Expecting: TRUSTED CERTIFICATE" errors. If you've configured the linux box to use LDAP at all, authconfig will automatically "rehash" the certificate directory. (Check the ldap.conf file for TLS_CERT* lines). During the "rehash" operation, for every file in the certificate directory that is not a valid PEM certificate file, you will get that warning/error printed out.

So, in reality, this is not actually an error for authconfig, but it appears to be, and it's damned alarming.

Solution: remove all non-certificate files from that directory.

I had placed a host key file that I was allowing the LDAP user to read in my cacert directory, and then began receiving the error. Renaming that file to start with a '.' also eliminated the error from occurring.
 
  


Reply

Tags
authconfig, certificates, ldap, linux, openldap


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PHP Slackware Get TLS/SSL Working xeross Linux - Server 4 08-31-2008 11:42 AM
LXer: GnuTLS Release Removes TLS Authorization Due to Patent Issue LXer Syndicated Linux News 0 10-22-2007 02:50 AM
"Server certificate not installed" - obscure TLS issue (fix) gracecourt Linux - Security 1 05-30-2007 05:09 PM
Kernel Deleted due to Upgrade, Cannot Reinstall Kernel due to Dependency Issues Kenji Miyamoto Debian 2 02-17-2007 10:44 AM
nVidia TLS Issues raven.sorrow Linux - General 8 11-28-2005 08:07 PM


All times are GMT -5. The time now is 11:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration