Hi,
In order to for LDAP to work with TLS, does the certificate names need to match the server name?
My admin gave me a certificate but it's called wildcard.com.cert, the name of my server is not 'wildcard'.
usaims
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
Yes
On Jun 14, 2013, at 3:06 PM, "Rodney Simioni" rodney.simioni@verio.net wrote:
Hi,
In order to for LDAP to work with TLS, does the certificate names need to match the server name?
My admin gave me a certificate but it’s called wildcard.com.cert, the name of my server is not ‘wildcard’.
usaims
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
On 06/14/13 14:42 -0400, Rodney Simioni wrote:
Hi,
In order to for LDAP to work with TLS, does the certificate names need to match the server name?
My admin gave me a certificate but it's called wildcard.com.cert, the name of my server is not 'wildcard'.
Analyze the contents of the cert and verify the CN is really '*.example.com':
openssl x509 -in wildcard.com.cert -text -noout
If so, then your LDAP clients probably will accept it as a valid certificate (this typically works for web browsers), but your mileage may vary.
We have worked with a wild card certificate provider before. In addition to offering a *.example.com cert, they may also offer a certain number of tertiary certificates (e.g. ldap.example.com) priced in with the wild card cert.
I did a 'openssl x509 -in wildcard.securesites.com.cert -text -noout'
I got 'CN=*.securesites.com'
My /etc/openldap/cacerts looks like:
TLS_CACERTDIR /etc/openldap/cacerts TLS_CACERT /etc/openldap/cacerts/wildcard.securesites.com.cert URI ldap://fl1-lsh99apa007.securesites.com/ BASE dc=wh,dc=local
But when I do a ' ldapsearch -d -1 -x -LLL -ZZ', I get:
ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP fl1-lsh99apa007.securesites.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.227.2.90:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_err2string ldap_start_tls: Can't contact LDAP server (-1)
-----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Friday, June 14, 2013 3:45 PM To: Rodney Simioni Cc: openldap-technical@openldap.org Subject: Re: LDAP and TLS
On 06/14/13 14:42 -0400, Rodney Simioni wrote:
Hi,
In order to for LDAP to work with TLS, does the certificate names need to match the server name?
My admin gave me a certificate but it's called wildcard.com.cert, the name of my server is not 'wildcard'.
Analyze the contents of the cert and verify the CN is really '*.example.com':
openssl x509 -in wildcard.com.cert -text -noout
If so, then your LDAP clients probably will accept it as a valid certificate (this typically works for web browsers), but your mileage may vary.
We have worked with a wild card certificate provider before. In addition to offering a *.example.com cert, they may also offer a certain number of tertiary certificates (e.g. ldap.example.com) priced in with the wild card cert.
-- Dan White
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
On 06/14/13 15:56 -0400, Rodney Simioni wrote:
I did a 'openssl x509 -in wildcard.securesites.com.cert -text -noout'
I got 'CN=*.securesites.com'
My /etc/openldap/cacerts looks like:
TLS_CACERTDIR /etc/openldap/cacerts TLS_CACERT /etc/openldap/cacerts/wildcard.securesites.com.cert URI ldap://fl1-lsh99apa007.securesites.com/ BASE dc=wh,dc=local
That looks like an ldap.conf file. Your certificate should be configured within your slapd config and not your client config, unless it is a self signed certificate.
See the manpage for slapd.conf or slapd-config, and the Admin Guide for the appropriate TLS config.
But when I do a ' ldapsearch -d -1 -x -LLL -ZZ', I get:
ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP fl1-lsh99apa007.securesites.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.227.2.90:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_err2string ldap_start_tls: Can't contact LDAP server (-1)
-----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Friday, June 14, 2013 3:45 PM To: Rodney Simioni Cc: openldap-technical@openldap.org Subject: Re: LDAP and TLS
On 06/14/13 14:42 -0400, Rodney Simioni wrote:
Hi,
In order to for LDAP to work with TLS, does the certificate names need to match the server name?
My admin gave me a certificate but it's called wildcard.com.cert, the name of my server is not 'wildcard'.
Analyze the contents of the cert and verify the CN is really '*.example.com':
openssl x509 -in wildcard.com.cert -text -noout
If so, then your LDAP clients probably will accept it as a valid certificate (this typically works for web browsers), but your mileage may vary.
We have worked with a wild card certificate provider before. In addition to offering a *.example.com cert, they may also offer a certain number of tertiary certificates (e.g. ldap.example.com) priced in with the wild card cert.
So you are saying remove those TLS lines from /etc/openldap/ldap.conf and put them in the ldif file as:
olcTLSCACertificateFile: /etc/openldap/cacerts/wildcard.securesites.com.cert olcTLSCertificateFile: /etc/openldap/cacerts/wildcard.securesites.com.csr olcTLSCertificateKeyFile: /ect/openldap/cacerts/wildcard.securesites.com.key ?
usaims -----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Friday, June 14, 2013 4:05 PM To: Rodney Simioni Cc: openldap-technical@openldap.org Subject: Re: LDAP and TLS
On 06/14/13 15:56 -0400, Rodney Simioni wrote:
I did a 'openssl x509 -in wildcard.securesites.com.cert -text -noout'
I got 'CN=*.securesites.com'
My /etc/openldap/cacerts looks like:
TLS_CACERTDIR /etc/openldap/cacerts TLS_CACERT /etc/openldap/cacerts/wildcard.securesites.com.cert URI ldap://fl1-lsh99apa007.securesites.com/ BASE dc=wh,dc=local
That looks like an ldap.conf file. Your certificate should be configured within your slapd config and not your client config, unless it is a self signed certificate.
See the manpage for slapd.conf or slapd-config, and the Admin Guide for the appropriate TLS config.
But when I do a ' ldapsearch -d -1 -x -LLL -ZZ', I get:
ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP fl1-lsh99apa007.securesites.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.227.2.90:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_err2string ldap_start_tls: Can't contact LDAP server (-1)
-----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Friday, June 14, 2013 3:45 PM To: Rodney Simioni Cc: openldap-technical@openldap.org Subject: Re: LDAP and TLS
On 06/14/13 14:42 -0400, Rodney Simioni wrote:
Hi,
In order to for LDAP to work with TLS, does the certificate names need to match the server name?
My admin gave me a certificate but it's called wildcard.com.cert, the name of my server is not 'wildcard'.
Analyze the contents of the cert and verify the CN is really '*.example.com':
openssl x509 -in wildcard.com.cert -text -noout
If so, then your LDAP clients probably will accept it as a valid certificate (this typically works for web browsers), but your mileage may vary.
We have worked with a wild card certificate provider before. In addition to offering a *.example.com cert, they may also offer a certain number of tertiary certificates (e.g. ldap.example.com) priced in with the wild card cert.
-- Dan White
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
On 06/14/13 16:28 -0400, Rodney Simioni wrote:
So you are saying remove those TLS lines from /etc/openldap/ldap.conf and put them in the ldif file as:
olcTLSCACertificateFile: /etc/openldap/cacerts/wildcard.securesites.com.cert olcTLSCertificateFile: /etc/openldap/cacerts/wildcard.securesites.com.csr olcTLSCertificateKeyFile: /ect/openldap/cacerts/wildcard.securesites.com.key ?
Please consult the documentation, and a primer on TLS. Your olcTLSCACertificateFile line probably shouldn't be there. The other two look reasonable.
-----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Friday, June 14, 2013 4:05 PM To: Rodney Simioni Cc: openldap-technical@openldap.org Subject: Re: LDAP and TLS
On 06/14/13 15:56 -0400, Rodney Simioni wrote:
I did a 'openssl x509 -in wildcard.securesites.com.cert -text -noout'
I got 'CN=*.securesites.com'
My /etc/openldap/cacerts looks like:
TLS_CACERTDIR /etc/openldap/cacerts TLS_CACERT /etc/openldap/cacerts/wildcard.securesites.com.cert URI ldap://fl1-lsh99apa007.securesites.com/ BASE dc=wh,dc=local
That looks like an ldap.conf file. Your certificate should be configured within your slapd config and not your client config, unless it is a self signed certificate.
See the manpage for slapd.conf or slapd-config, and the Admin Guide for the appropriate TLS config.
But when I do a ' ldapsearch -d -1 -x -LLL -ZZ', I get:
ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP fl1-lsh99apa007.securesites.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.227.2.90:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_err2string ldap_start_tls: Can't contact LDAP server (-1)
-----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Friday, June 14, 2013 3:45 PM To: Rodney Simioni Cc: openldap-technical@openldap.org Subject: Re: LDAP and TLS
On 06/14/13 14:42 -0400, Rodney Simioni wrote:
Hi,
In order to for LDAP to work with TLS, does the certificate names need to match the server name?
My admin gave me a certificate but it's called wildcard.com.cert, the name of my server is not 'wildcard'.
Analyze the contents of the cert and verify the CN is really '*.example.com':
openssl x509 -in wildcard.com.cert -text -noout
If so, then your LDAP clients probably will accept it as a valid certificate (this typically works for web browsers), but your mileage may vary.
We have worked with a wild card certificate provider before. In addition to offering a *.example.com cert, they may also offer a certain number of tertiary certificates (e.g. ldap.example.com) priced in with the wild card cert.
-- Dan White
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
You would only specify the CA file if your wildcard file contains the root CA chain. Otherwise it is also advisable to download your root CA chain file, and specify it with the olcTLSCACertificateFile directive. To clarify for you, your certificate file is NOT a CA file. The CA files are root files you get from your issuing Certificate Authority.
On Fri, Jun 14, 2013 at 3:44 PM, Dan White dwhite@olp.net wrote:
On 06/14/13 16:28 -0400, Rodney Simioni wrote:
So you are saying remove those TLS lines from /etc/openldap/ldap.conf and put them in the ldif file as:
olcTLSCACertificateFile: /etc/openldap/cacerts/** wildcard.securesites.com.cert olcTLSCertificateFile: /etc/openldap/cacerts/** wildcard.securesites.com.csr olcTLSCertificateKeyFile: /ect/openldap/cacerts/**wildcard.securesites.com.key ?
Please consult the documentation, and a primer on TLS. Your olcTLSCACertificateFile line probably shouldn't be there. The other two look reasonable.
-----Original Message-----
From: Dan White [mailto:dwhite@olp.net] Sent: Friday, June 14, 2013 4:05 PM To: Rodney Simioni Cc: openldap-technical@openldap.**org openldap-technical@openldap.org Subject: Re: LDAP and TLS
On 06/14/13 15:56 -0400, Rodney Simioni wrote:
I did a 'openssl x509 -in wildcard.securesites.com.cert -text -noout'
I got 'CN=*.securesites.com'
My /etc/openldap/cacerts looks like:
TLS_CACERTDIR /etc/openldap/cacerts TLS_CACERT /etc/openldap/cacerts/**wildcard.securesites.com.cert URI ldap://fl1-lsh99apa007.**securesites.com/http://fl1-lsh99apa007.securesites.com/ BASE dc=wh,dc=local
That looks like an ldap.conf file. Your certificate should be configured within your slapd config and not your client config, unless it is a self signed certificate.
See the manpage for slapd.conf or slapd-config, and the Admin Guide for the appropriate TLS config.
But when I do a ' ldapsearch -d -1 -x -LLL -ZZ', I get:
ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP fl1-lsh99apa007.securesites.**com:389http://fl1-lsh99apa007.securesites.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.227.2.90:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_err2string ldap_start_tls: Can't contact LDAP server (-1)
-----Original Message-----
From: Dan White [mailto:dwhite@olp.net] Sent: Friday, June 14, 2013 3:45 PM To: Rodney Simioni Cc: openldap-technical@openldap.**org openldap-technical@openldap.org Subject: Re: LDAP and TLS
On 06/14/13 14:42 -0400, Rodney Simioni wrote:
Hi,
In order to for LDAP to work with TLS, does the certificate names need to match the server name?
My admin gave me a certificate but it's called wildcard.com.cert, the name of my server is not 'wildcard'.
Analyze the contents of the cert and verify the CN is really '*. example.com':
openssl x509 -in wildcard.com.cert -text -noout
If so, then your LDAP clients probably will accept it as a valid certificate (this typically works for web browsers), but your mileage may vary.
We have worked with a wild card certificate provider before. In addition to offering a *.example.com cert, they may also offer a certain number of tertiary certificates (e.g. ldap.example.com) priced in with the wild card cert.
-- Dan White
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
-- Dan White BTC Broadband Network Admin Lead Ph 918.366.0248 (direct) main: (918)366-8000 Fax 918.366.6610 email: dwhite@olp.net http://www.btcbroadband.com
No need to specify CSR file
olcTLSCertificateFile: /etc/openldap/cacerts/wildcard.securesites.com.csr. CSR is just used to get certificate, specify your certificate for attribute olcTLSCertificateFile
Thanks Vishesh Kumar http://www.linuxmantra.com/
On Sat, Jun 15, 2013 at 6:52 PM, Jason Brandt jbrandt@fsmail.bradley.eduwrote:
You would only specify the CA file if your wildcard file contains the root CA chain. Otherwise it is also advisable to download your root CA chain file, and specify it with the olcTLSCACertificateFile directive. To clarify for you, your certificate file is NOT a CA file. The CA files are root files you get from your issuing Certificate Authority.
On Fri, Jun 14, 2013 at 3:44 PM, Dan White dwhite@olp.net wrote:
On 06/14/13 16:28 -0400, Rodney Simioni wrote:
So you are saying remove those TLS lines from /etc/openldap/ldap.conf and put them in the ldif file as:
olcTLSCACertificateFile: /etc/openldap/cacerts/** wildcard.securesites.com.cert olcTLSCertificateFile: /etc/openldap/cacerts/** wildcard.securesites.com.csr olcTLSCertificateKeyFile: /ect/openldap/cacerts/**wildcard.securesites.com.key ?
Please consult the documentation, and a primer on TLS. Your olcTLSCACertificateFile line probably shouldn't be there. The other two look reasonable.
-----Original Message-----
From: Dan White [mailto:dwhite@olp.net] Sent: Friday, June 14, 2013 4:05 PM To: Rodney Simioni Cc: openldap-technical@openldap.**org openldap-technical@openldap.org Subject: Re: LDAP and TLS
On 06/14/13 15:56 -0400, Rodney Simioni wrote:
I did a 'openssl x509 -in wildcard.securesites.com.cert -text -noout'
I got 'CN=*.securesites.com'
My /etc/openldap/cacerts looks like:
TLS_CACERTDIR /etc/openldap/cacerts TLS_CACERT /etc/openldap/cacerts/**wildcard.securesites.com.cert URI ldap://fl1-lsh99apa007.**securesites.com/http://fl1-lsh99apa007.securesites.com/ BASE dc=wh,dc=local
That looks like an ldap.conf file. Your certificate should be configured within your slapd config and not your client config, unless it is a self signed certificate.
See the manpage for slapd.conf or slapd-config, and the Admin Guide for the appropriate TLS config.
But when I do a ' ldapsearch -d -1 -x -LLL -ZZ', I get:
ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP fl1-lsh99apa007.securesites.**com:389http://fl1-lsh99apa007.securesites.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.227.2.90:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_err2string ldap_start_tls: Can't contact LDAP server (-1)
-----Original Message-----
From: Dan White [mailto:dwhite@olp.net] Sent: Friday, June 14, 2013 3:45 PM To: Rodney Simioni Cc: openldap-technical@openldap.**org openldap-technical@openldap.org Subject: Re: LDAP and TLS
On 06/14/13 14:42 -0400, Rodney Simioni wrote:
Hi,
In order to for LDAP to work with TLS, does the certificate names need to match the server name?
My admin gave me a certificate but it's called wildcard.com.cert, the name of my server is not 'wildcard'.
Analyze the contents of the cert and verify the CN is really '*. example.com':
openssl x509 -in wildcard.com.cert -text -noout
If so, then your LDAP clients probably will accept it as a valid certificate (this typically works for web browsers), but your mileage may vary.
We have worked with a wild card certificate provider before. In addition to offering a *.example.com cert, they may also offer a certain number of tertiary certificates (e.g. ldap.example.com) priced in with the wild card cert.
-- Dan White
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
-- Dan White BTC Broadband Network Admin Lead Ph 918.366.0248 (direct) main: (918)366-8000 Fax 918.366.6610 email: dwhite@olp.net http://www.btcbroadband.com
-- Jason K. Brandt Systems Administrator Bradley University (309) 677-2958
openldap-technical@openldap.org
-
Dan White -
Jason Brandt -
Michael Starling -
Rodney Simioni -
Vishesh kumar