[Auth_ldap] Auth_Ldap and Active Directory with TLS/SSL
Aaron Smith
Aaron.Smith at kzoo.edu
Wed Oct 11 12:23:48 PDT 2006
Definitely an SSL certificate problem as the following command from the
apache server:
Openssl s_client -connect n1-wrath.sandbox.com:3269 -CAfile
/etc/certs/sandbox-ca.pem
Results in:
CONNECTED(00000004)
depth=0 /CN=n1-wrath.sandbox.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=n1-wrath.sandbox.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=n1-wrath.sandbox.com
verify error:num=21:unable to verify the first certificate
verify return:1
Though I *am* providing it with the correct CA certificate so I'm not
sure what the problem is. I'll try asking over on the openldap list.
--------------------------------------------------------------------
Aaron Smith Aaron.Smith at kzoo.edu
System Administrator (269) 337-7496
Kalamazoo College
-----Original Message-----
From: auth_ldap-bounces at rudedog.org
[mailto:auth_ldap-bounces at rudedog.org] On Behalf Of Aaron Smith
Sent: Wednesday, October 11, 2006 1:39 PM
To: auth_ldap at rudedog.org
Subject: Re: [Auth_ldap] Auth_Ldap and Active Directory with TLS/SSL
Ok. I think I might have made at least SOME progress on this. I added
the patch that Andrew McAllister added to allow Openldap to connect to
an LDAPS:// URL and recompiled it. Now, when attempting to use SSL, I
get an error I the apache log file that says:
Could not connect to LDAP server: No such file or directory
If I don't use SSL, and connect to port 3268, it works fine. My gut
says this is a certificate problem and I suspect that the "file or
directory" it's looking for is the CA certificate for my domain. I put
a copy of this in /etc/certs and then put the following in openldap's
ldap.conf:
TLS_REQCERT never
TLS_CACERT /etc/certs/sandbox-ca-B64.cer
TLS_CACERTDIR /etc/certs
I'm currently authenticating to a domain controller on a test domain and
didn't do anything to "setup" TLS/SSL on the Domain controller. I've
read some instructions about adding certificate requests into Group
Policy which will "turn on" SSL and TSL and cause the servers to start
listening to ports 636 and 3269, however I didn't do this and the server
is ALREADY listening to those ports.....? I did install Certificate
Services so maybe that gets set up when you do that?
I know this is sounding like more of a windows question rather than
Auth_Ldap but I thought maybe someone on the list had run in to this
issue.
--------------------------------------------------------------------
Aaron Smith Aaron.Smith at kzoo.edu
System Administrator (269) 337-7496
Kalamazoo College
-----Original Message-----
From: McAllister, Andrew [mailto:McAllisterA at umsystem.edu]
Sent: Tuesday, October 10, 2006 11:38 AM
To: Aaron Smith
Subject: RE: [Auth_ldap] Auth_Ldap and Active Directory with TLS/SSL
I believe it uses 3269 for TLS
Andy
> -----Original Message-----
> From: auth_ldap-bounces at rudedog.org
> [mailto:auth_ldap-bounces at rudedog.org] On Behalf Of Aaron Smith
> Sent: Tuesday, October 10, 2006 9:46 AM
> To: auth_ldap at rudedog.org
> Subject: Re: [Auth_ldap] Auth_Ldap and Active Directory with TLS/SSL
>
> After I sent my last message, I found the problem with the
> "Operations Error" with Server 2003, had to point auth_ldap
> to port 3268. Still having trouble with TLS though. Does
> the AD server use a different port for TLS connections? I'll
> have to google that...
>
>
>
>
>
> --------------------------------------------------------------------
>
> Aaron Smith Aaron.Smith at kzoo.edu
>
> System Administrator (269) 337-7496
>
> Kalamazoo College
>
>
>
>
>
>
_______________________________________________
Auth_ldap mailing list
Auth_ldap at rudedog.org
http://www.rudedog.org/mailman/listinfo/auth_ldap
More information about the Auth_ldap
mailing list