Le 12/12/2011 19:24, Howard Chu a écrit :
reyman
wrote:
You have a self signed certificate,
Correct.
so you don't need to verify your
certificate.
When you activate the tls on ldap, you only need this two lines,
and you don't
need the line with certificate
verification*olcTLSCACertificateFile : *
Wrong.
It true and false, with debian and openLdap compiled with GnuTLS (my
case), i read this documentation :
http://wiki.debian.org/LDAP/OpenLDAPSetup and they said :
Procedure:
You're going to need the
gnutls certificate generator: certtool.
Run these two commands to
generate a new self-signed key (into the current working
directory):
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem
Then, update your
certificate locations in /etc/ldap/slapd.conf (TLSCertificateFile
points to ca-cert.pem and TLSCertificateKeyFile points
to ca-key.pem), comment out TLSCACertificateFile,
and change TLSVerifyClient to never.
In /etc/ldap/ldap.conf,
comment out TLS_CACERT and change TLS_REQCERT
to never.
Since the certificate is
self-signed, we can't have gnutls trying to verify it (hence the
never), otherwise it will never run.
And RTFM is a little violent, i try to help with my little
experience, i'm not an expert for sure.
Best regards,
SR.
RTFM.
http://www.openldap.org/doc/admin24/tls.html
On Mon, Dec 12, 2011 at 12:31 PM, Jayavant
Patil <jayavant.patil82@gmail.com
<mailto:jayavant.patil82@gmail.com>> wrote:
Hi,
>On Mon, Dec 12, 2011 at 4:19 PM, reyman
<reyman64@gmail.com
<mailto:reyman64@gmail.com>> wrote:
>With the option -ZZ i think, try this
|>ldapsearch -x -LLL -ZZ -d 150|
Yeah, It shows output containing ber_dump,
ldap_write,ldap_read,
tls_write, tls_read etc. But at the end is shows the
following:
TLS certificate verification: Error, self signed certificate
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_
CERTIFICATE:certificate verify failed (self signed
certificate).
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (self
signed certificate)
Why it shows an error ? and how to resolve this?
and when I do ldapsearch with -ZZ option it gives error
$ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -w cluster -b
"ou=People,dc=abc,dc=com" "uid=ldap_6" -h n0 -ZZ
ldap_initialize( ldap://n0 )
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
>On Mon, Dec 12, 2011 at 11:21 AM, Jayavant Patil
<jayavant.patil82@gmail.com
<mailto:jayavant.patil82@gmail.com>> wrote:
>>Hi,
>> I am using openldap-2.4.19-4.x86_64 on
fedora 12 machine. I
have enabled openldap SSL/TLS. How do I know
>>(test) that I am
using SSL/TLS connections instead of normal
ldap:///?
--
Thanks & Regards,
Jayavant Ningoji Patil
Engineer: System Software
Computational Research Laboratories Ltd.
Pune-411 004.
Maharashtra, India.
+91 9923536030 <tel:%2B91%209923536030>.
|