So you are saying remove those TLS lines from /etc/openldap/ldap.conf and put them in the ldif file as:
olcTLSCACertificateFile: /etc/openldap/cacerts/wildcard.securesites.com.cert olcTLSCertificateFile: /etc/openldap/cacerts/wildcard.securesites.com.csr olcTLSCertificateKeyFile: /ect/openldap/cacerts/wildcard.securesites.com.key ?
usaims -----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Friday, June 14, 2013 4:05 PM To: Rodney Simioni Cc: openldap-technical@openldap.org Subject: Re: LDAP and TLS
On 06/14/13 15:56 -0400, Rodney Simioni wrote:
I did a 'openssl x509 -in wildcard.securesites.com.cert -text -noout'
I got 'CN=*.securesites.com'
My /etc/openldap/cacerts looks like:
TLS_CACERTDIR /etc/openldap/cacerts TLS_CACERT /etc/openldap/cacerts/wildcard.securesites.com.cert URI ldap://fl1-lsh99apa007.securesites.com/ BASE dc=wh,dc=local
That looks like an ldap.conf file. Your certificate should be configured within your slapd config and not your client config, unless it is a self signed certificate.
See the manpage for slapd.conf or slapd-config, and the Admin Guide for the appropriate TLS config.
But when I do a ' ldapsearch -d -1 -x -LLL -ZZ', I get:
ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP fl1-lsh99apa007.securesites.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.227.2.90:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_err2string ldap_start_tls: Can't contact LDAP server (-1)
-----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Friday, June 14, 2013 3:45 PM To: Rodney Simioni Cc: openldap-technical@openldap.org Subject: Re: LDAP and TLS
On 06/14/13 14:42 -0400, Rodney Simioni wrote:
Hi,
In order to for LDAP to work with TLS, does the certificate names need to match the server name?
My admin gave me a certificate but it's called wildcard.com.cert, the name of my server is not 'wildcard'.
Analyze the contents of the cert and verify the CN is really '*.example.com':
openssl x509 -in wildcard.com.cert -text -noout
If so, then your LDAP clients probably will accept it as a valid certificate (this typically works for web browsers), but your mileage may vary.
We have worked with a wild card certificate provider before. In addition to offering a *.example.com cert, they may also offer a certain number of tertiary certificates (e.g. ldap.example.com) priced in with the wild card cert.
-- Dan White
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.