I’ve been setting up a new 12.3 system. I’ve been trying to configure LDAP/TLS and there’s always something wrong.
- I use CAcert as a certificate authority for my domain name. I’ve installed the CAcert root certificates and have my current server certificate.
- I’ve used openssl to make a PKCS12 certificate out of the CAcert root certificate and imported it as a common server certificate. It imports OK and shows the correct information.
- I’ve added the CAcert root certificate as a certificate authority in the CA management screens
- I try to enable TLS using the yast LDAP server screens. The use common certificate box is greyed out and I can’t enable it, even though I’ve installed the certficate.
- If I manually set up the authority and server certificate, I can no longer start LDAP. It fails with an error of “TLS init def ctx failed: -1” and stops. The only way to get it started again is to set it up without TLS.
- The documentation for the yast LDAP client is out of date. The SSL/TLS dialog box talks about a CA certificate URL for download. You’re supposed to put in a URL but there’s no information on what that URL should be and openSUSE 12.3: Chapter 4. LDAP—A Directory Service is out of date
- And just to cap it off, sssd authentication seems to require TLS – you get an operation not supported error – which means that it’s not possible to set up user management in LDAP without TLS. I’ve worked around that by adding pam_ldap to /etc/pam.d/common-auth-pc before pam_sss but it’s hardly ideal.
- Setting up things like the mail server and so on are stalled until I can work this out, since the configuration dialogs seem to want TLS.
I’ve been having to debug things for a couple of days now, never seeming to get closer to a stable system. Any help gratefully received.
Is it self-signed certificate? Or did you obtain it from CA?
I’ve installed the CAcert root certificates and have my current server certificate.
I’ve used openssl to make a PKCS12 certificate out of the CAcert root certificate and imported it as a common server certificate. It imports OK and shows the correct information.
So what is your “current server certificate”? Why did you import CA certificate as your server certificate if you already have one?
I’ve added the CAcert root certificate as a certificate authority in the CA management screens
Screenshot would be usefule here.
I try to enable TLS using the yast LDAP server screens. The use common certificate box is greyed out and I can’t enable it, even though I’ve installed the certficate.
So you did not install it (correctly). You also do not need it strictly speaking. So - do you want to use common cert or LDAP-specific cert?
If I manually set up the authority and server certificate, I can no longer start LDAP. It fails with an error of “TLS init def ctx failed: -1” and stops. The only way to get it started again is to set it up without TLS.
Something is messed up with your certificates it looks like. Please show screenshot and explain what are certs on it. So far it sounds like you try to use CA cert as your server cert which is not likely to work.
Not self-signed. Obtained from CA.
The server certificate for my domain, supplied by CAcert.
looking back on my original post, I wasn’t clear. I combined the CA certificate, the issued server certificate and key to make a PKCS12 certificate, which is what the common server certificate seems to want.
http://www.charvolant.org/ldaptls/csc.png
I want to use a common certifcate, because opensuse appears to offer a mechanism for using a common server certificate for the services that I run, such as https and imaps. I’d like to use the issued certificate because it’s publicly verifiable, rather than just local. The yast LDAP server configuration gives me the option to use the common certificate but has it greyed out.
If I try to not use the common server certificate but manually enter the CA and server certificate, slapd will not start. And if I don’t have a certificate sssd gets unhappy.
No. I am using the server certificate for my domain issued by my CA.
I’m now part of the way along. I rebuilt the PKCS12 certificate ensuring that the root certificate and chain was included. The common server certificate is no longer greyed and slapd appears to be able to start now.
For reference, the command to make the full certificate is
openssl pkcs12 -export -chain -in /etc/ssl/certs/CAcert.pem -in charvolant.org.crt -inkey charvolant.org.key -out charvolant.org.p12
Still no further along on client configuration. It’s unclear what things I should be setting.