Results 1 to 4 of 4

Thread: LDAP/TLS Blues

  1. #1
    Join Date
    Jul 2008
    Location
    Australia
    Posts
    43

    Default LDAP/TLS Blues

    I've been setting up a new 12.3 system. I've been trying to configure LDAP/TLS and there's always something wrong.


    1. I use CAcert as a certificate authority for my domain name. I've installed the CAcert root certificates and have my current server certificate.
    2. I've used openssl to make a PKCS12 certificate out of the CAcert root certificate and imported it as a common server certificate. It imports OK and shows the correct information.
    3. I've added the CAcert root certificate as a certificate authority in the CA management screens
    4. I try to enable TLS using the yast LDAP server screens. The use common certificate box is greyed out and I can't enable it, even though I've installed the certficate.
    5. If I manually set up the authority and server certificate, I can no longer start LDAP. It fails with an error of "TLS init def ctx failed: -1" and stops. The only way to get it started again is to set it up without TLS.
    6. The documentation for the yast LDAP client is out of date. The SSL/TLS dialog box talks about a CA certificate URL for download. You're supposed to put in a URL but there's no information on what that URL should be and openSUSE 12.3: Chapter 4. LDAP—A Directory Service is out of date
    7. And just to cap it off, sssd authentication seems to require TLS -- you get an operation not supported error -- which means that it's not possible to set up user management in LDAP without TLS. I've worked around that by adding pam_ldap to /etc/pam.d/common-auth-pc before pam_sss but it's hardly ideal.
    8. Setting up things like the mail server and so on are stalled until I can work this out, since the configuration dialogs seem to want TLS.


    I've been having to debug things for a couple of days now, never seeming to get closer to a stable system. Any help gratefully received.

  2. #2
    Join Date
    Sep 2012
    Posts
    5,279

    Default Re: LDAP/TLS Blues

    Quote Originally Posted by charvolant View Post
    I've been setting up a new 12.3 system. I've been trying to configure LDAP/TLS and there's always something wrong.

    I use CAcert as a certificate authority for my domain name.
    Is it self-signed certificate? Or did you obtain it from CA?

    I've installed the CAcert root certificates and have my current server certificate.

    I've used openssl to make a PKCS12 certificate out of the CAcert root certificate and imported it as a common server certificate. It imports OK and shows the correct information.
    So what is your "current server certificate"? Why did you import CA certificate as your server certificate if you already have one?

    I've added the CAcert root certificate as a certificate authority in the CA management screens
    Screenshot would be usefule here.

    I try to enable TLS using the yast LDAP server screens. The use common certificate box is greyed out and I can't enable it, even though I've installed the certficate.
    So you did not install it (correctly). You also do not need it strictly speaking. So - do you want to use common cert or LDAP-specific cert?

    If I manually set up the authority and server certificate, I can no longer start LDAP. It fails with an error of "TLS init def ctx failed: -1" and stops. The only way to get it started again is to set it up without TLS.
    Something is messed up with your certificates it looks like. Please show screenshot and explain what are certs on it. So far it sounds like you try to use CA cert as your server cert which is not likely to work.

  3. #3
    Join Date
    Jul 2008
    Location
    Australia
    Posts
    43

    Default Re: LDAP/TLS Blues

    Quote Originally Posted by arvidjaar View Post
    Is it self-signed certificate? Or did you obtain it from CA?
    Not self-signed. Obtained from CA.

    Quote Originally Posted by arvidjaar View Post
    So what is your "current server certificate"?
    The server certificate for my domain, supplied by CAcert.

    Quote Originally Posted by arvidjaar View Post
    Why did you import CA certificate as your server certificate if you already have one?
    looking back on my original post, I wasn't clear. I combined the CA certificate, the issued server certificate and key to make a PKCS12 certificate, which is what the common server certificate seems to want.

    Quote Originally Posted by arvidjaar View Post
    Screenshot would be usefule here.



    Quote Originally Posted by arvidjaar View Post
    So you did not install it (correctly). You also do not need it strictly speaking. So - do you want to use common cert or LDAP-specific cert?
    I want to use a common certifcate, because opensuse appears to offer a mechanism for using a common server certificate for the services that I run, such as https and imaps. I'd like to use the issued certificate because it's publicly verifiable, rather than just local. The yast LDAP server configuration gives me the option to use the common certificate but has it greyed out.

    If I try to not use the common server certificate but manually enter the CA and server certificate, slapd will not start. And if I don't have a certificate sssd gets unhappy.

    Quote Originally Posted by arvidjaar View Post
    Something is messed up with your certificates it looks like. Please show screenshot and explain what are certs on it. So far it sounds like you try to use CA cert as your server cert which is not likely to work.
    No. I am using the server certificate for my domain issued by my CA.

  4. #4
    Join Date
    Jul 2008
    Location
    Australia
    Posts
    43

    Default Re: LDAP/TLS Blues

    I'm now part of the way along. I rebuilt the PKCS12 certificate ensuring that the root certificate and chain was included. The common server certificate is no longer greyed and slapd appears to be able to start now.

    For reference, the command to make the full certificate is

    openssl pkcs12 -export -chain -in /etc/ssl/certs/CAcert.pem -in charvolant.org.crt -inkey charvolant.org.key -out charvolant.org.p12

    Still no further along on client configuration. It's unclear what things I should be setting.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •