On Wed, 2016-04-06 at 12:03 +0000, warron.french@gmail.com wrote:
> Good morning Mr. Brown,
>
> Here is the results of your first query; executing the certutil command as you
> presented it (with adding my instance):
> certutil -L -d /etc/dirsrv/slapd-E2WAN/
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> wsf-LabCA.lab.aero.org CT,,
> wsf-LabLDAP.crt u,u,u
>
> /////////
> Here is the answer to your question about a CA referenced in my
> /etc/openldap/ldap.conf; I executed:
> root@wsf-LabLDAP:~> cat /etc/openldap/ldap.conf
> #
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> #BASE dc=example,dc=com
> #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
>
> #SIZELIMIT 12
> #TIMELIMIT 15
> #DEREF never
>
>
> TLS_CACERTDIR /etc/openldap/cacerts
> URI ldaps://wsf-LabLDAP.lab.aero.org/
> BASE dc=lab,dc=aero,dc=org
>
> MY QUESTION is why do I need to reference anything with OpenLDAP, if I am using
> 389-ds, is it simply a place to put things without creating a separate
> directory structure? I do not know if my CA certificate is in the correct
> place; perhaps it is not because I knew I wasn't using OpenLDAP, I am using
> 389-ds, and I didn't understand the implementation steps properly and so I 'did
> it my way.'
389-ds is the server component.
However, the ldapsearch utility comes from openldap and has it's OWN ca store.
This is why you need to configure both parts.
>
> I store my certs up under /etc/pki/CA/certs; as shown below:
> root@wsf-LabLDAP:/etc/pki/CA/certs> ls
> wsf-LabCA.crt wsf-LabLDAP-AdminServer.crt wsf-LabLDAP.crt
>
> I am running CentOS-6.6; can I still get support here in this website?
>
> Mr. Brown, I can produce the output of an ldapsearch command and something that
> I believe confirms your suspicion; but I don't know what to do to fix the
> problem (in my VMs or on my REAL server). Here is the ldapsearch I executed
> and the results:
> root@wsf-LabLDAP:/> ldapsearch -d 5 -x -L -b 'dc=lab,dc=aero,dc=org'
> ldap_create
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP wsf-LabLDAP.lab.aero.org:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 192.168.2.243:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> attempting to connect:
> connect success
> TLS: certdb config: configDir='/etc/openldap/cacerts'
> tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
> TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11
> error.
> TLS: loaded CA certificate file /etc/openldap/cacerts/415ee41f.0 from CA
> certificate directory /etc/openldap/cacerts.
> TLS: skipping 'authconfig_downloaded.pem' - filename does not have expected
> format (certificate hash with numeric suffix)
> TLS: certificate [CN=wsf-
> LabLDAP.lab.aero.org,OU=Aerospace,O=Aerospace,L=Chantilly,ST=Virginia,C=US] is
> not valid - error -8181:Peer's Certificate has expired..
> TLS: error: connect - force handshake failure: errno 0 - moznss error -8157
> TLS: can't connect: TLS error -8157:Certificate extension not found..
> ldap_err2string
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
> Can you please lead me down the path of solving this? I noticed you are a Red
> Hat Software Engineer; I hope that means you will still be able to support me
> on CentOS (but I guess RedHat owns CentOS now).
>
This is a public mailing list, so my corporate affiliation means little in terms
of whether I help you or not!
For this, it looks like it's not able to find the ca. Look at these lines:
TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11
> error.> TLS: loaded CA certificate file /etc/openldap/cacerts/415ee41f.0 from
CA
> certificate directory /etc/openldap/cacerts.> TLS: skipping
'authconfig_downloaded.pem' - filename does not have expected
> format (certificate hash with numeric suffix)> TLS: certificate [CN=wsf-
> LabLDAP.lab.aero.org,OU=Aerospace,O=Aerospace,L=Chantilly,ST=Virginia,C=US] is
> not valid - error -8181:Peer's Certificate has expired..
So you should take the current CA cert from the slapd instance:
certutil -L -d /etc/dirsrv/slapd-E2WAN/ -n wsf-LabCA.lab.aero.org -a >
/etc/openldap/cacerts/wsf-LabCA.lab.aero.org.pem
Then you can make these valid for openldap to use:
cd /etc/openldap/cacerts
cacertdir_rehash
This will recreate the hash -> cert symlinks.
From there, re-run your ldap search command:
ldapsearch -d 5 -x -L -b 'dc=lab,dc=aero,dc=org'
If you still fail with:
not valid - error -8181:Peer's Certificate has expired..>
You have bigger problems than ldap.
Otherwise, I hope this works for you.
--
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane
No comments:
Post a Comment