On Thu, 2009-02-05 at 16:12 +0100, Thorsten Scherf wrote:
On [Thu, 29.01.2009 13:32], John A. Sullivan III wrote:
>Hello, all. This may be a bit off-topic as it is primarily an ldap
>client issue but I am having a bear of a time getting my test centos
>clients to access fds. The problem is tls_checkpeer. I do want it set
>to yes but this breaks access. It is as if the directory server's cert
>cannot be validated against the CA cert. Here are the pertinent
>settings from my centos client ldap.conf (as you can see, I've tried
>many combinations):
>
>uri
ldap://ldap.mycompany.com/
>#host
ldap.mycompany.com
>#ssl on
>ssl start_tls
>#tls_cacertdir /etc/pki/tls/certs
>tls_cacertfile /etc/pki/tls/certs/SSICA.pem
>pam_password md5
>tls_checkpeer yes
>tls_ciphers TLSv1
>
>An strace shows that the SSICA.pem file is opened. Apparently, this is
>a problem in Ubuntu because of a change to gnutls. However, I can
>confirm the combination of uri ldap://, ssl start_tls, and tls_certfile
>rather than tls_certdir work on Ubuntu. My problem is redhat style
>systems.
>
>Our test bed is CentOS 5.2. Does anyone have this working on newer
>redhat based systems? If so, with what configuration? Thanks - John
gnutls has a bug in some ubunto versions. This prevents correct
certificate validation. See here:
https://bugs.launchpad.net/ubuntu/+source/gnutls12/+bug/305264
How did you test access to FDS on Red Hat systems? If you use OpenLDAP
commandline tools like ldapsearch to get access to FDS, you have to run
cacertdir_rehash on the directory where the CA cert is stored. What is
the output from:
# openssl s_client -connect your_host_fqdn:443
(make sure you have the cacert available in ca-bundle.crt)
Happy Day.
Thorsten
<snip>
Bizarre! It works now! I had been trying actual logins to test. I
flushed ncsd countless times. For hours, I could not get it to work.
Now that I've let is sit for a couple of days, I set tls_checkpeer to
yes and LDAP users can login fine.
I did use opessn s_client as you suggested. I added -verify to force CA
validation and changed the port to 636. If I did not supply -CAfile, it
worked and said the CA was self-signed (true) and if I did supply
-CAfile, it worked as well. Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan(a)opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society