Hello!
On Thu, 20 Dec 2007 16:34:03 -0800 Quanah Gibson-Mount quanah@zimbra.com wrote:
Just to note, we use self-signed certs @ Zimbra with OpenLDAP, we force TLS, and it works without a problem. Which is why I know you're incorrect. ;) And I'd hardly look to the gentoo folks as a source of documentation expertise when it comes to OpenLDAP.
OK, then something must be different between our setups...
What I'm doing is that I've generated an X509 self-signed CA certificate and I'm signing all server and client certificates with that CA cert. This CA cert is distributed to all clients' /etc/ssl/certs directory and this way the software packages using openssl usually recognize it and clients are able to validate the server certs and vica versa.
Now this doesn't work with OpenLDAP. It also doesn't work when I set up the CA cert file explicitly instead of just copying it to /etc/ssl/certs like this:
TLSCACertificateFile /etc/ssl/certs/CA.pem TLSCertificateFile /etc/openldap/ssl/ldap-server.crt TLSCertificateKeyFile /etc/openldap/ssl/ldap-server.key
And at the clients:
tls_cacertfile /etc/ssl/certs/CA.pem #tls_cacertdir /etc/ssl/certs tls_cert /etc/openldap/ssl/ldap-client.crt tls_key /etc/openldap/ssl/ldap-client.key
Is this wrong?
I'm not saying I'm an SSL expert, I'm certainly not, nor do I think that the Gentoo people are too much of an expert in terms of OpenLDAP or SSL. I can only tell what my experience shows and the Gentoo people are probably also base their HOWTOs and stuff on their real-world experiences which is probably the reason why their advices are sometimes rather "unscientific". IMHO people are trying to solve problems in an "unscientific" way when the "scientific" way does not work, is too complicated, is poorly documented, or can hardly be diagnosed because lack of logging/debugging output. In such cases I don't think that the problem is only at the user side...
Thanks,
Sab