fedora-directory-users-request(a)redhat.com wrote:
Date: Fri, 09 Dec 2005 12:05:18 -0700
From: Craig White <craigwhite(a)azapple.com>
Just basic stuff...I promise I have been through the wiki and the
Administrator's guide (managing SSL and SASL) several times.
Using openssl generated CA certificate and used that to sign CSR's from
console application and loaded them all into console application. Have
restarted FDS and it seems to be happy - but just to confirm...
MY PROBLEM
# ldapsearch -ZZ '(uid=jim)'
ldap_start_tls: Connect error (-11)
additional info: Start TLS request accepted.Server willing to
negotiate SSL.
# tail -n4 /opt/fedora-ds/slapd-srv1/logs/access
[09/Dec/2005:11:55:26 -0700] conn=83 op=5 fd=68 closed - U1
[09/Dec/2005:12:00:58 -0700] conn=84 fd=68 slot=68 connection from
127.0.0.1 to 127.0.0.1
[09/Dec/2005:12:00:58 -0700] conn=84 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[09/Dec/2005:12:00:58 -0700] conn=84 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[09/Dec/2005:12:00:58 -0700] conn=84 op=-1 fd=68 closed - Encountered
end of file.
# tail -n 7 /etc/openldap/ldap.conf
URI
ldap://srv1.clsurvey.com
HOST
srv1.clsurvey.com
BASE dc=clsurvey,dc=com
TLS_CACERTDIR /etc/ssl
TLS_CACERT server.crt
pam_password md5
TLS_REQCERT allow
My thinking is that this somehow has something to do with the TLS_CACERT
in /etc/openldap/ldap.conf (the certificate for the client).
Please re-read
http://www.openldap.org/doc/admin23/tls.html; it's quite
clear about how to configure the CA cert.
Note that "pam_password" is not an OpenLDAP config keyword.
Would this be the issue?
Is there a better method for creating the client certificate from either
the CA certificate (generated by openssl) or from the FDS Server
Certificate (also generated by openssl)?
Only CA certs may be used to generate other certs. The server cert is
just that, nothing more.
--
-- Howard Chu
Chief Architect, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc
OpenLDAP Core Team
http://www.openldap.org/project/