LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   openldap certificate (https://www.linuxquestions.org/questions/linux-server-73/openldap-certificate-4175480164/)

igor012 10-09-2013 09:43 AM

openldap certificate
 
Hello,
I have a working openldap(Centos 6.4) server that I want to secure. So I created a new certificate with Tinyca2 and I exported the certificate and the key with no passphrase.
I have copied those files into /etc/openldap/certs

ldapsearch -x -d 1 returns
Code:

ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.50.1:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.50.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/pki/tls/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/pki/tls/certs', error -8018:Unknown PKCS #11 error.
TLS: loaded CA certificate file /etc/pki/CA/certs/company-cacert.pem.
TLS: skipping 'ldap.company.fr-cert.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'ca-bundle.trust.crt' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'make-dummy-cert' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'Makefile' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'ldap.company.be-cert.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'ca-bundle.crt' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'company-cacert.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: error: connect - force handshake failure: errno 0 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

What am I missing ?

Thanks

acid_kewpie 10-10-2013 03:20 AM

That's a pretty impressively descriptive error for each file, did you not just paste that into google? I did, and found that you need to call the file "<certificate hash>.0" where the hash comes from "openssl x509 –in <certificate> –hash". You may also have a tool, cacertdir_rehash script available to do this for you automatically.

igor012 10-14-2013 10:49 AM

Hello,
I have finally found out : they owner of the cert and key was not ldap.

Thanks


All times are GMT -5. The time now is 07:00 AM.