open LDAP + TLS/SSL bind Failed.
Hi,
I am trying to configure LDAP Client/server on 2 Fedora-10 linux machines. I have installed and configured openldap-2.4.26 server on one machine and pam_ldap-186, nss_ldap-265 on the other machines. I have created the TLS certificates using following command on the server. openssl req -newkey rsa:1024 -x509 -nodes -out \ server.pem -keyout server.pem -days 3650 and I have created the client.pem by copying CERTIFICATE portion of the server.pem. When my client try to connect to the server I get following errors. TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca. connection_read(12): TLS accept failure error=-1 id=1012, closing connection_closing: readying conn=1012 sd=12 for close connection_close: conn=1012 sd=12 daemon: removing 12 conn=1012 fd=12 closed (TLS negotiation failure) My Configurations are as follows. slapd.conf access to attrs=userPassword by self write by anonymous auth by * none access to * by * read #TLS Certificate section TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA TLSCACertificateFile /etc/openldap/cacerts/server.pem TLSCertificateFile /etc/openldap/cacerts/server.pem TLSCertificateKeyFile /etc/openldap/cacerts/server.pem TLSVerifyClient allow and client side ldap.conf base dc=samsung,dc=com uri ldaps://10.254.204.181/ TLS_CACERT /etc/openldap/cacerts/client.pem pam_password md5 nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap netgroup: files ldap automount: files ldap I am not getting why it is saying Unknown ca. even though the certificate is created on server machine itself. Kindly help me to solve this problem. |
SSL Cert
Hi,
Your SSL cert is not a signed cert. What you've done with that openssl command is just step 1 in creating valid certs. "openssl req" creates a signing request, but does not actually sign it. Also, the request and the key should be different files. IE: openssl req -newkey rsa:1024 -x509 -nodes -out server.req -keyout server.pem -days 3650 you need to also use have an openssl ca, and then sign the server.req file, using openssl x509. Openssl usually ships with a program called CA.pl, or CA.sh. On my system, it's in: /etc/pki/tls/misc/CA.pl If you learn how to use this, it will make it easier for you to create a CA, then sign the certificate. Regards Glen Ogilvie Quote:
|
Hi Glen Ogilvie, Thank you very much for your reply .
I followed the steps given in the below link for certificate creation and LDAP TLS/SSL configuration. http://www.linuxhomenetworking.com/w...he_LDAP_Client I have CA.sh file in /etc/pki/tls/misc. Please let me know how I can use this to create/sign the certificate. Please let me know the steps for creating/signing a certificate, if there is any proper document for this please let me know. Thanks and Regards, Vijay S, |
Quote:
Try http://octaldream.com/~scottm/talks/ssl/opensslca.html for some documentation for CA.sh Official doc: http://www.openssl.org/docs/apps/ca.html CA.sh is a shell script you run, with specific options to create a CA and to sign certs. Regards Glen Ogilvie |
Hi Glen Ogilvie,
I have created the Server side certificate properly. But I couldn't create the client side one. I am not able to understand the step for client side certification creation. PHP Code:
or can I copy the certificate files created at server side to the client side?? |
Thank you very much Glen Ogilvie.
Now my client is able to communicate with LDAP server using TLS/SSL. I followed the steps given in below link which you suggested and copied the server side created cacert.pem file to client and sepecified the path in ldap.conf. http://octaldream.com/~scottm/talks/ssl/opensslca.html one more thing step i was doing wrong. i.e I was giving the IP address in the URI. I changed "uri ldaps://10.254.204.181/" to "uri ldaps://localhost.localdomain/" and added the entry for localhost.localdomain in /etc/hosts at both server and client side as follows. 10.254.204.181 localhost.localdomain Thank you very much. Warm Regards, Vijay S. |
Hi Glen Ogilvie,
At the server side if I use "TLSVerifyClient demand" then I am not able to authenticate with server. I tried copying the server certificate to the client side also. But didn't work. Kindly suggest me some solution. |
All times are GMT -5. The time now is 04:26 AM. |