37505 – Self-signed cert won't work for openldap

Bug 37505 - Self-signed cert won't work for openldap

Summary: Self-signed cert won't work for openldap

Status:	RESOLVED FIXED

Alias:	None

Product:	[OLD] Docs-user
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	x86 Linux

Importance:	High normal (vote)
Assignee:	Docs Team

URL:	http://www.gentoo.org/doc/en/ldap-how...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-01-07 12:00 UTC by Lindsay Haisley
Modified:	2004-01-28 10:23 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lindsay Haisley 2004-01-07 12:00:28 UTC

I've installed openldap as per <http://www.gentoo.org/doc/en/ldap-howto.xml>.                                  
The procedure described on this page generates a self-signed certificate for                            
openldap, however it appears that a self-signed certificate is unacceptable  
to the TLS subsystem.

# ldapsearch -D "cn=Manager,dc=genfic,dc=com" -W
ldap_create
Enter LDAP Password:
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"

[ ... lots of cruft, snip, snip!]

TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Comment 1 Robin Johnson archtester

2004-01-28 01:27:37 UTC

direct self-signed certificates are no longer allowed by upstream.
you have to properly create your own CA and then a cert for your openldap from there.

Comment 2 Lindsay Haisley 2004-01-28 07:37:44 UTC

Would you (or someone) please include precise instructions on how to do this in the openldap HOWTO on the gentoo website.  Once proper instructions are available the bug will be a non-issue - i.e. resolved.

I assumed that this was the endgame for a resolution to the problem, but openssl is a horridly complex piece for those of us who don't have the time to learn about all the acronyms, filename extensions, protocols, procedures and the ins and outs of certificate management.  I have no idea how to get there.  This stuff isn't really well documented for someone who needs to do a specific job in a hurry.

Comment 3 Benjamin Coles 2004-01-28 09:21:00 UTC

can you check to see if /etc/openldap/ldap.conf has 
TLS_REQCERT allow
in it... when I upgraded from 2.0 to 2.1, this solved the problem. This was added 3 weeks ago to the HOWTO on gentoo.org. Let me know if this fixes it or not.

Comment 4 Lindsay Haisley 2004-01-28 09:31:35 UTC

Thanks.  I'll take a look and give it a shot.  My original report was filed on the 7th, prolly just before the documentation change was done.  I dropped openldap and haven't revisited it since but I'll try again and if the problem is fixed I'll mark this bug as resolved.

Comment 5 Lindsay Haisley 2004-01-28 10:23:12 UTC

Looks like the docs are fixed, at least as far as this bug is concerned.  I ran through them with the stable version of openldap (2.0) and it looks like it's working as expected.  Didn't need to upgrade to 2.1.  Thanks!