openSUSE 11.4 MAIL Server + LDAP

Hello, I have successfully set LDAP server with TLS but yast mail module or LDAP browser can not connect because of following error: https://lh5.googleusercontent.com/_9oMjyDFlkqc/TYSWhQHrgsI/AAAAAAAAABA/45Q7WsKkSQ0/s1152/ldap_browser_error.png

I have tried to add:

  1. in /etc/openldap/ldap.conf

tls_cacert      /etc/ssl/certs/YaST-CA.pem
TLS_REQCERT     allow

  1. in /etc/ldap.conf
tls_checkpeer   no

but this didn’t help :frowning:

Does somebody has/solved this problem?

On Sat, 19 Mar 2011 12:06:01 +0000, isemionov wrote:

> but this didn’t help :frowning:
>
> Does somebody has/solved this problem?

Maybe a silly question, but after making those changes, did you restart
both services?

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Hi Jim,

yes of course, I even restarted the machine.
Finally it works and without encryption, but this makes me fool because I have spent some days and without success.
The same actions I have tried on SLES 11 (with virtualbox) and it works without any problem but not on openSUSE…

On Sat, 19 Mar 2011 17:06:02 +0000, isemionov wrote:

> yes of course, I even restarted the machine.

I thought you probably had, but having done online support for many
years, I’ve found that often it’s the case that it’s something simple
that’s been missed. I’m glad that isn’t the case here. :slight_smile:

> Finally it works and
> without encryption, but this makes me fool because I have spent some
> days and without success. The same actions I have tried on SLES 11
> (with virtualbox) and it works without any problem but not on
> openSUSE…

Anything recorded in any of the relevant log files related to the failure?

Another thought - did you import the certificate’s info into the
certificate store? (I actually ran into this recently configuring a
service to use LDAP on OES2, and I got a very similar error message to
what you’re getting, and the only way was to import the self-signed
certificate into the certificate store used by the Java instance I was
working with).

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Anything recorded in any of the relevant log files related to the failure?

there is nothing related in /var/log/messages

Another thought - did you import the certificate’s info into the
certificate store? (I actually ran into this recently configuring a
service to use LDAP on OES2, and I got a very similar error message to
what you’re getting, and the only way was to import the self-signed
certificate into the certificate store used by the Java instance I was
working with).

I was thinking about something like this but I have no idea how it can be done for Yast modules that are not java applications.

On Sat, 19 Mar 2011 18:36:01 +0000, isemionov wrote:

>> Anything recorded in any of the relevant log files related to the
>> failure?
> there is nothing related in /var/log/messages
>
>
>> Another thought - did you import the certificate’s info into the
>> certificate store? (I actually ran into this recently configuring a
>> service to use LDAP on OES2, and I got a very similar error message to
>> what you’re getting, and the only way was to import the self-signed
>> certificate into the certificate store used by the Java instance I was
>> working with).
> I was thinking about something like this but I have no idea how it can
> be done for Yast modules that are not java applications.

I’m thinking that there’s got to be a certificate store that the mail
server is using - that would be where it would need to be added.

Guessing that you’re using postfix?

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Actually the problem is the connection of standard yast mail administration module using tls.
If i’m setting ldap client to not use tls then the connections is ok.
And mail server (standard YaST+postfix+Cyrus+LDAP) works OK and can be accessed with TLS also.
The same for ldap browser, it tries to connect using tls, fails and asks if I want to try without tls and if I answer yes then the connection is OK.
The same behavior for user and groups administration module
i.e. the problem is only in yast modules making ldap connection using tls - they can not accept self generated certificates.
But this is very strange for me as far in SLES 11 it works and there the same idea is used.
I do not understand.

On Sat, 19 Mar 2011 21:36:01 +0000, isemionov wrote:

> Actually the problem is the connection of standard yast mail
> administration module using tls.

That is strange. You might want to file a bug on that, somehow I didn’t
see that the issue wasn’t the Postfix->LDAP connection but the admin tool.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Hello,

if somebody is interested, finally I have found the solution:

  1. In LDAP Client click on “Download CA Certificate” and indicate the url (I have put it on local web server)

  2. it creates directory /etc/openldap/cacerts/ and in adds in /etc/openldap/ldap.conf:


TLS_CACERTDIR   /etc/openldap/cacerts/

and copies here the CA certificate.

  1. in address of LDAP server the same name must be indicated as in server sertificate (otherwise an error will be raised about it do not coincide)

after this LDAP connection, using TLS, of each Yast module (mail server module, user and group managemnt module, LDAP browser) is OK !

I think it can be done manually also (create /etc/openldap/cacerts/, copy here the certificate and adding TLS_CACERTDIR in ldap.conf)

Uhh! after a lot of headache it finally works ! rotfl!

On Sun, 20 Mar 2011 20:36:02 +0000, isemionov wrote:

> if somebody is interested, finally I have found the solution

Fantastic - thanks for updating the thread with what you found. :slight_smile:

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

‘3. in address of LDAP server the same name must be indicated as in server sertificate (otherwise an error will be raised about it do not coincide)’

Hi.

Could you give an actual example here?

My server is called hh1.com

I have ldap dn: cn=admin,dc=com

The common name of my YaST-CA.pem is hh1.com

I made a servercert with it who’s common name is hh1.com.

I have saved the YaST-CA.pem on my local webserver as hh1.com.pem

I download the CA file in Yast ldap client: hh1.com

I still get the does not match error.

An example of another setup would be great.
Cheers, Steve.

I answered my own question.

On opensuse 11.4. e.g. My server is 192.168.1.2 and it is called hh1.com

  1. Install the apache webserver
  2. Create the root CA with the common name hh1.com. Create the common server certificate with this CA.
  3. Copy YaST-CA.pem from /etc/ssl/certs to /srv/www/htdocs
  4. Add the line:
    192.168.1.2 hh1.com hh1
    to /etc/hosts
  5. Yast -> LDAP Client:
    Addresses of LDAP Servers:
    hh1.com
    Secure connection checked
    Download CA Certificate:
    http://hh1.com/YaST-CA.pem

That’s it.

Cheers, Steve.