[SLE] openldap and tls

From: HK (thelistbox_at_yahoo.com)
Date: 02/23/05

  • Next message: Jeffrey L. Taylor: "Re: [SLE] Alternative to lm_sensors?" 
    Date: Tue, 22 Feb 2005 22:26:35 -0800 (PST)
To: suse-linux-e@suse.com

    Has anyone gotten this to work? I've spent _HOURS_ over several days trying.

    SuSE 9.2 PRO
    openldap 2.2.15-5.2
    openssl 0.9.7d-25

    Create my own CA key and self signed cert.
    Create key and cert for ldap.server.net.
    This matches hostname -f
    Sign ldap.server.net.pem cert with CA cert.
    Use openssl verify to check ldap.server.net.pem against ca.pem. OK.

    Add the following to /etc/openldap/slapd.conf:
    TLSACACertificateFile /etc/openldap/certs/ca.pem
    TLSCertificateFile /etc/openldap/certs/ldap.server.net.pem
    TLSCertificateKeyFile /etc/openldap/keys/ldap.server.net.key

    Add the following to /etc/openldap/ldap.conf
    TLS_CACERT /etc/openldap/certs/ca.pem

    try to start slapd with:
    slapd -d 1
    errors are:
    TLS: private key mismatch
    TLS: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
    main: TLS init def ctx failed: -1

    slapd starts as long either TLSACACertificateFile or TLSCertificateKeyFile are
    commented out in slapd.conf.

    I've made sure ldap is owner and group of /etc/openldap/certs and
    /etc/openldap/keys.

    Have gone thru key and cert creation process several times for CA and server.
    Since the server cert verify OK - maybe I have something wrong with the server key
    or in a config file somewhere.
    But what or where?

    Any suggestions would be greatly appreciated.

                    
    __________________________________
    Do you Yahoo!?
    Yahoo! Mail - Find what you need with new enhanced search.
    http://info.mail.yahoo.com/mail_250 

    -- 
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@suse.com
  • Next message: Jeffrey L. Taylor: "Re: [SLE] Alternative to lm_sensors?"

    Relevant Pages

    • Re: SSL problem/help
      ... Wheezy has OpenSSL 1.0.1 which introduces ... new TLS protocols ... The server seems to be unable to cope with those new protocols. ... I am guessing there is slight problem with the cert at ...
      (Debian-User)
    • Re: On Open Source
      ... However it would still be vulnerable to MITM attacks. ... The MITM could substitute his own certificate and transparently decrypt ... OpenSSL achieves that in its default mode. ... It's also worth noting that the question of what makes a good cert ...
      (sci.crypt)
    • Re: OpenSSL Certificate issue
      ... I do not need to have the Google cert installed as long as I ... 1.x (installed as a port?) to hash the certs and then the ... OpenSSL 0.9.x binary from the base system to connect to the Gmail ... I did not explicitly install the openssl port, ...
      (freebsd-questions)
    • Re: followup to SSL+LTC
      ... If Tom ... > tomorrow, I don't see why I'd use it, since OpenSSL has a familiar API ... "core" of SSL/TLS with hooks for external code to do the tough bits ... like cert verification and parsing. ...
      (sci.crypt)
    • Re: Certificate Creation help
      ... >> with both CA.pl and openssl with various options, ... Create a self-signed cert. ... Create a certificate signing request with the private key: ... This are my ehlo localhost results: ...
      (comp.os.linux.security)