Openldap and SSL Certificate research notes¶

Overview:¶

As referenced in the centos_ldap_install doc, openldap is using encryption and I’m able to get linux systems to authenticate but I have to add

TLS_REQCERT allow # short version: allow certs that clients can’t validate

or some variation of that in the relevant config files:

/etc/openldap/ldap.conf ldapsearch
/etc/nslcd.conf: legacy authentication
/etc/sssd/sssd.conf: System Security Services Daemon - current auth

So, what’s up with that?

Solution:¶

ldapsearch -d 5 -LLL -x -b dc=oci,dc=com showed the answer:

# ldapsearch -d 5 -LLL -x -b dc=oci,dc=com uid=qwer dn
[[boring bits snipped]]
TLS: loaded CA certificate file /etc/openldap/cacerts/cacert.pem.
TLS: certificate [CN=ldapsvr.olearycomputers.com,OU=IT,O=IT,L=Naperville,ST=IL,C=US] is valid
TLS certificate verification: subject: CN=ldapsvr.olearycomputers.com,OU=IT,O=IT,L=Naperville,ST=IL,C=US, issuer: CN=caauth.olearycomputers.com,OU=IT,O=OCI,L=IL,ST=Naperville,C=US, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 0, cache not reusable: 0
TLS: hostname (192.168.122.20) does not match common name in certificate (ldapsvr.olearycomputers.com).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

TLS: hostname (192.168.122.20) does not match common name

It’s becasue I had the IP address in the URI vs the fqdn. F’ing nice!

Openldap and SSL Certificate research notes¶

Overview:¶

Solution:¶

OCI

Navigation

Related Topics