Tuesday, April 12, 2016

[389-users] Re: Create 389 directory server secure connections

On Wed, 2016-04-13 at 01:45 +0000, xinhuan zheng wrote:
> Hello Mr. Brown,
>
> I found that the procedure you give me is part of my problem. I ended up with
> running remove-ds-admin.pl command then re-create my directory server instance
> and admin server instance. Luckily I kept answers file and ldif data. I also
> re-run the setupssl2.sh script. Since this time I didn't mess up with
> environment variables, it did go through successfully.

You should not have needed to do that. 

> I also did go through your procedure, and successfully run the ldapsearch
> command. However, how do I know "ldapsearch -x -L -b 'dc=christianbook,dc=com'"
> uses secure connection or not? I tail my access log, and it shows something
> like below:



>
> [12/Apr/2016:21:24:47 -0400] conn=46 op=0 EXT oid="1.3.6.1.4.1.1466.20037"
> name="startTLS"
> [12/Apr/2016:21:24:47 -0400] conn=46 op=0 RESULT err=0 tag=120 nentries=0
> etime=0
> [12/Apr/2016:21:24:47 -0400] conn=46 op=-1 fd=64 closed - Peer does not
> recognize and trust the CA that issued your certificate.
> [12/Apr/2016:21:26:46 -0400] conn=47 fd=64 slot=64 connection from ::1 to ::1
> [12/Apr/2016:21:26:46 -0400] conn=47 op=0 BIND dn="" method=128 version=3
> [12/Apr/2016:21:26:46 -0400] conn=47 op=0 RESULT err=0 tag=97 nentries=0
> etime=0 dn=""
> [12/Apr/2016:21:26:46 -0400] conn=47 op=1 SRCH base="dc=christianbook,dc=com"
> scope=2 filter="(objectClass=*)" attrs=ALL
> [12/Apr/2016:21:26:46 -0400] conn=47 op=1 RESULT err=0 tag=101 nentries=103
> etime=0 notes=U
> [12/Apr/2016:21:26:46 -0400] conn=47 op=2 UNBIND
> [12/Apr/2016:21:26:46 -0400] conn=47 op=2 fd=64 closed - U1
>
> It did say "Peer does not recognize and trust the CA that issued your
> certificate." However, it did return 103 entries for the ldapsearch. I don't
> understand that. Is the secure connection successfully established or is it
> actually failed back to non-secure connection?

If you look in the ldap client config, /etc/openldap/ldap.conf, you likely have
TLS_REQCERT set to NEVER or ALLOW. This means it checks the CA, but will not fail
on an verification failure.

So it is a "secure" connection, but the client hasn't validated the CA.

>
> Thanks,
> - xinhuan
> --
> 389 users mailing list
> 389-users@%(host_name)s
> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

--
Sincerely,

William Brown
Software Engineer
Red Hat, Brisbane
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)