Hi, I am trying to configure LDAP Client/server on 2 Fedora-10 linux machines.
I have installed and configured openldap-2.4.26 server on one machine and pam_ldap-186, nss_ldap-265 on the other machines.
I have created the TLS certificates using following command on the server.
openssl req -newkey rsa:1024 -x509 -nodes -out \ server.pem -keyout server.pem -days 3650
and I have created the client.pem by copying CERTIFICATE portion of the server.pem.
When my client try to connect to the server I get following errors.
TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca. connection_read(12): TLS accept failure error=-1 id=1012, closing connection_closing: readying conn=1012 sd=12 for close connection_close: conn=1012 sd=12 daemon: removing 12 conn=1012 fd=12 closed (TLS negotiation failure)
My Configurations are as follows.
slapd.conf
access to attrs=userPassword by self write by anonymous auth by * none
access to * by * read
#TLS Certificate section TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA TLSCACertificateFile /etc/openldap/cacerts/server.pem TLSCertificateFile /etc/openldap/cacerts/server.pem TLSCertificateKeyFile /etc/openldap/cacerts/server.pem TLSVerifyClient allow
and client side ldap.conf
base dc=samsung,dc=com uri ldaps://10.254.204.181/ TLS_CACERT /etc/openldap/cacerts/client.pem pam_password md5
nsswitch.conf
passwd: files ldap shadow: files ldap group: files ldap
netgroup: files ldap automount: files ldap
I am not getting why it is saying Unknown ca. even though the certificate is created on server machine itself.
Kindly help me to solve this problem.
Hi,
Did you provide FQDN e.g server1.example.com to the common name section ? while creating the certificate ?
Hope the permission of the files are are also correct.
Regards, Neo
On Fri, Sep 16, 2011 at 9:57 AM, vijay s sheelavantar < s_vijay65@rediffmail.com> wrote:
Hi, I am trying to configure LDAP Client/server on 2 Fedora-10 linux machines.
I have installed and configured openldap-2.4.26 server on one machine and pam_ldap-186, nss_ldap-265 on the other machines.
I have created the TLS certificates using following command on the server.
openssl req -newkey rsa:1024 -x509 -nodes -out \ server.pem -keyout server.pem -days 3650
and I have created the client.pem by copying CERTIFICATE portion of the server.pem.
When my client try to connect to the server I get following errors.
*TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca. connection_read(12): TLS accept failure error=-1 id=1012, closing connection_closing: readying conn=1012 sd=12 for close connection_close: conn=1012 sd=12 daemon: removing 12 conn=1012 fd=12 closed (TLS negotiation failure)
My Configurations are as follows.
slapd.conf
access to attrs=userPassword by self write by anonymous auth by * none
access to * by * read
#TLS Certificate section TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA TLSCACertificateFile /etc/openldap/cacerts/server.pem TLSCertificateFile /etc/openldap/cacerts/server.pem TLSCertificateKeyFile /etc/openldap/cacerts/server.pem TLSVerifyClient allow
and client side ldap.conf
base dc=samsung,dc=com uri ldaps://10.254.204.181/ TLS_CACERT /etc/openldap/cacerts/client.pem pam_password md5
nsswitch.conf
passwd: files ldap shadow: files ldap group: files ldap
netgroup: files ldap automount: files ldap
I am not getting why it is saying Unknown ca. even though the certificate is created on server machine itself.
Kindly help me to solve this problem.
http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle? Treat yourself at a restaurant, spa, resort and much more with *Rediff Deal ho jaye!http://track.rediff.com/click?url=___http://dealhojaye.rediff.com?sc_cid=mailsignature___&cmp=signature&lnk=rediffmailsignature&newservice=deals
On Friday, 16 September 2011 09:57:14 vijay s sheelavantar wrote:
I have created the
(self-signed)
TLS certificates using following command on the server.
openssl req -newkey rsa:1024 -x509 -nodes -out \ server.pem -keyout server.pem -days 3650
and I have created the client.pem by copying CERTIFICATE portion of the server.pem.
When my client try to connect to the server I get following errors.
TLS trace: SSL3 alert read:fatal:unknown CA
This error is quite clear, surely you should know what the problem is?
[...]
#TLS Certificate section TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA TLSCACertificateFile /etc/openldap/cacerts/server.pem TLSCertificateFile /etc/openldap/cacerts/server.pem TLSCertificateKeyFile /etc/openldap/cacerts/server.pem TLSVerifyClient allow
and client side ldap.conf
base dc=samsung,dc=com uri ldaps://10.254.204.181/ TLS_CACERT /etc/openldap/cacerts/client.pem pam_password md5
1)You may want to consider keeping your /etc/ldap.conf and /etc/openldap/ldap.conf separate, otherwise you may run into problems (such as TLS_CACERT vs tls_cacertfile). Please consult 'man ldap.conf', 'man pam_ldap', and 'man nss_ldap'.
2)The client needs to have the CA certificate, since you are using a self- signed certificate (and really, you should reconsider this if you are doing anything but a single-server single-client setup), that would be the certificate 'server.pem' (you didn't say what is in client.pem, but according to the error message, either (1) is your problem, or client.pem is not the self-signed certificate you generated above.
3)Once you get past teh 'unknown CA' problem, most likely your next problem will be caused by using the IP address in uri.
Please, think about what your browser does when checking certificates presented by servers when you visit https URLs, everything that applies there applies here.
Regards, Buchan
On 11-09-16 3:57 AM, vijay s sheelavantar wrote:
Hi, I am trying to configure LDAP Client/server on 2 Fedora-10 linux machines.
I have installed and configured openldap-2.4.26 server on one machine and pam_ldap-186, nss_ldap-265 on the other machines.
I have created the TLS certificates using following command on the server.
openssl req -newkey rsa:1024 -x509 -nodes -out \ server.pem -keyout server.pem -days 3650
and I have created the client.pem by copying CERTIFICATE portion of the server.pem.
When my client try to connect to the server I get following errors.
*TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca. connection_read(12): TLS accept failure error=-1 id=1012, closing connection_closing: readying conn=1012 sd=12 for close connection_close: conn=1012 sd=12 daemon: removing 12 conn=1012 fd=12 closed (TLS negotiation failure)
My Configurations are as follows.
slapd.conf
access to attrs=userPassword by self write by anonymous auth by * none
access to * by * read
#TLS Certificate section TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA TLSCACertificateFile /etc/openldap/cacerts/server.pem TLSCertificateFile /etc/openldap/cacerts/server.pem TLSCertificateKeyFile /etc/openldap/cacerts/server.pem TLSVerifyClient allow
and client side ldap.conf
base dc=samsung,dc=com uri ldaps://10.254.204.181/ TLS_CACERT /etc/openldap/cacerts/client.pem pam_password md5
nsswitch.conf
passwd: files ldap shadow: files ldap group: files ldap
netgroup: files ldap automount: files ldap
I am not getting why it is saying Unknown ca. even though the certificate is created on server machine itself.
Kindly help me to solve this problem. http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle? Treat yourself at a restaurant, spa, resort and much more with *Rediff Deal ho jaye! http://track.rediff.com/click?url=___http://dealhojaye.rediff.com?sc_cid=mailsignature___&cmp=signature&lnk=rediffmailsignature&newservice=deals*
you may try this
cd /etc/openldap/cacerts/ ln -s client.pem `openssl x509 -noout -hash -in client.pem`.0
openldap-technical@openldap.org
-
Buchan Milne -
Daniel Qian -
pradyumna dash -
vijay s sheelavantar