From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-sysadm/2012-February/004213.html | 127 ++++++++++++++++++++++++ 1 file changed, 127 insertions(+) create mode 100644 zarb-ml/mageia-sysadm/2012-February/004213.html (limited to 'zarb-ml/mageia-sysadm/2012-February/004213.html') diff --git a/zarb-ml/mageia-sysadm/2012-February/004213.html b/zarb-ml/mageia-sysadm/2012-February/004213.html new file mode 100644 index 000000000..286e06b39 --- /dev/null +++ b/zarb-ml/mageia-sysadm/2012-February/004213.html @@ -0,0 +1,127 @@ + + + + [Mageia-sysadm] ldap server certificate (was: Re: [Mageia-discuss] Fosdem report) + + + + + + + + + +

[Mageia-sysadm] ldap server certificate (was: Re: [Mageia-discuss] Fosdem report)

+ Buchan Milne + bgmilne at zarb.org +
+ Wed Feb 15 08:25:22 CET 2012 +

+
+ +
On Tuesday, 14 February 2012 17:36:14 nicolas vigier wrote:
+> On Tue, 14 Feb 2012, Oliver Burger wrote:
+> > But shall we write that command line into the wiki? Aside from not
+> > working: [oli at beteigeuze avfs]$ ldapsearch -W -Z -h ldap.mageia.org  -D
+> > uid=obgr_seneca,ou=People,dc=mageia,dc=org -b ou=Group,dc=mageia,dc=org
+> > ldap_start_tls: Connect error (-11)
+> > Enter LDAP Password:
+> > ldap_result: Can't contact LDAP server (-1)
+> 
+> It looks like we are still using a self-signed certificate on the ldap
+> server.
+
+Yes.
+
+> So it's required to have "TLS_REQCERT allow" in
+> /etc/openldap/ldap.conf to be able to connect to the ldap server.
+
+There are a few issues. If the self-signed cert and key were separate files 
+(new installs of openldap-server will do it this way as of current cauldron), 
+then the self-signed cert would not be too much of an issue if the self-signed 
+cert were distributed to all nodes and set as the TLS_CACERT, e.g.:
+
+# grep ^TLS_CACERT /etc/openldap/ldap.conf
+TLS_CACERT      /etc/ssl/openldap/ldap.mageia.org.pem
+
+
+The next issue is:
+# openssl x509 -noout -subject -in /etc/ssl/openldap/ldap.mageia.org.pem
+subject= /C=FR/ST=France/L=Marseille/O=Mageia/OU=Ldap 
+server/CN=valstar.mageia.org/emailAddress=root at mageia.org
+
+subjectCN does not match the hostname that was provided, and no Subject 
+Alternative Names provided, so:
+
+
+# ldapsearch -LLL -x -h ldap.mageia.org -ZZ -s base -b '' 
+namingContextsldap_start_tls: Connect error (-11)
+        additional info: TLS: hostname does not match CN in peer certificate
+
+vs
+# ldapsearch -LLL  -x -h valstar.mageia.org -ZZ -s base -b '' namingContexts
+dn:
+namingContexts: dc=mageia,dc=org
+namingContexts: dc=test_ldap
+
+
+But, this doesn't scale. We already have 2 LDAP servers, we would now need to 
+have both of their certs in the TLS_CACERT, and update it if:
+-a cert is updated for whatever reason
+-we add more servers
+
+> Should we also use the *.mageia.org certificate on the ldap server ?
+
+No, as you are distributing the key too widely, opening up easy avenues for 
+decrypting the traffic.
+
+> Or have our own CA
+
+Yes.
+
+> with keys distributed by rpm packages in the
+> distribution ?
+
+No. Possibly the CA cert distributed, if we intend for distribution users to 
+access our LDAP directory from the internet (which seems is currently 
+possible). But, then I am not sure if that is intended, or a mistake.
+
+Regards,
+Buchan
+
+ + + + + +
+

+ +
+More information about the Mageia-sysadm +mailing list
+ -- cgit v1.2.1