Hi There,
I use self signed certificates with OpenLDAP, and everything works fine. Check bellow which commands I used to create this certificate
===> Self signed certificate generation (I am using RHAS 4 Up6) cd /usr/share/ssl rm -fr demoCA /usr/share/ssl/misc/CA -newca openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem /usr/share/ssl/misc/CA -sign
===> putting certificate files to correct place cp demoCA/cacert.pem /etc/openldap/cacerts/cacert.pem cp newcert.pem /etc/openldap/cacerts/servercrt.pem cp newreq.pem /etc/openldap/cacerts/serverkey.pem chmod 0400 /etc/openldap/cacerts/serverkey.pem chown -R ldap:ldap /etc/openldap/cacerts /etc/init.d/ldap restart
===> putting public certificate files in ldap client machines scp /etc/openldap/cacerts/cacert.pem root@<ip_client>:/etc/openldap/cacerts/.
And set in ldap config files (in ldap client machine) the correct path
When generating certificate file, be sure to specify in hostname field "hostname -f" output command. You can try using localhost too
I hope it helps you
--- Gustavo Mendes de Carvalho email: gmcarvalho@gmail.com
Date: Mon, 28 Jul 2008 09:20:23 +0200 From: Buchan Milne bgmilne@staff.telkomsa.net Subject: Re: Client says Can't contact LDAP server, but it can! To: openldap-technical@openldap.org Cc: John Oliver joliver@john-oliver.net Message-ID: 200807280920.33142.bgmilne@staff.telkomsa.net Content-Type: text/plain; charset="iso-8859-1"
On Friday 25 July 2008 17:16:12 John Oliver wrote:
On Fri, Jul 25, 2008 at 10:20:55AM +0200, Buchan Milne wrote:
On Friday 25 July 2008 01:13:37 John Oliver wrote:
On Thu, Jul 24, 2008 at 04:04:10PM -0700, Quanah Gibson-Mount wrote:
Any client will need to know about the CA that signed your self-signed cert.
I created my certificate with:
openssl req -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 3650
In slapd.conf I have:
TLSCertificateFile /etc/ssl/ldap.pem TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem TLSCACertificateFile /etc/ssl/ldap.pem
What do I need to do differently?
Configure the *client* ???
The clients work perfectly with the working server. Why would they have to have a different configuration to talk to the backup LDAP server?
They don't necessarily need a different configuration, but it being valid for one server doesn't guarantee it will be valid for another server, especially when it comes to ssl, certificate validation etc.
At the moment, I'm far more interested in getting the second LDAP server working than I am in having perfect security.
Then it's easy, turn off SSL.
If you don't want to do that, turn of certificate validation. It's better than exposing keys.
Or, ensure that the "CA certificate" that the clients use contains the certificates of the issuer of both of the server certificates, and that the value of the subject CN on both certificates matches the name you use to connect to the servers.
Regards, Buchan
openldap-technical@openldap.org
-
Gustavo Mendes de Carvalho