Thursday, July 3, 2014

[389-users] encryption and self signed certs

I'm suddenly stumped by self-signed certs.

I used the setupssl2.sh script to generate my certs and install them into
my ldap. I end up with this --

# certutil -L -d .

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

CA certificate CTu,u,u
Server-Cert u,u,u


getent is able to see my ldap accounts and ldapsearch -ZZ returns
successfully. But I can't authenticate successfully unless I add
TLS_ReqCert allow to my ldap configs on my client. But what is weird is I
*know* that this has worked in the past.

LDAP server:

389-ds-base-1.2.11.25-1.el6.x86_64
OS 2.6.39-300.26.1.el6uek.x86_64 6.5 (Santiago)

Client:

OS 2.6.39-300.26.1.el6uek.x86_64
openssl-1.0.1e-16.el6_5.14.x86_64
nscd-2.12-1.80.el6_3.7.x86_64
nss-pam-ldapd-0.7.5-15.el6_3.2.x86_64
nss-3.13.6-2.0.1.el6_3.x86_64
openssh-5.3p1-94.el6.x86_64


When I try to authenticate I get this error message:
Jul 3 13:03:03 myserver nslcd[21796]: [495cff] ldap_result() failed:
Can't contact LDAP server

Googling this it looks like it doesn't trust my CA. But I *KNOW* that
this has worked in the past. But we have patched our clients recently and
have newer release of openssl. Does anyone have any idea of how I can get
past this?

thanks,
EJ


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

No comments:

Post a Comment