Re: [389-devel] SSO to 389 Server from 389 Client

Wed, 25 Jul 2012 06:38:35 -0700 

Hi,

don't forget either to
* add on the client workstation the CA certificate that signed the LDAP
server certifcate to /etc/openldap/ldap.conf (TLS_CACERT parameter)
* or to disable the certificate check: ("TLS_REQCERT never")

You can easily test fro the client whethe rit worked or not :

ldapsearch -x -H ldaps://your.ldap.server.example.com -b "" -s base

if the result of this command is the follwoing error then you have not
configured the CA on the workstation correctly:
ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Otherwise you will have the DSE base attributes...

@+

2012/7/25 Chaudhari, Rohit K. <rohit.chaudh...@jhuapl.edu>

> Hello everyone,
>
> The setup is as follows.  We have set up a server with 389 DS without DNS
> (hardcoded IP addresses in /etc/hosts) and created a CA certificate for
> distribution on servers and clients.  The 389 client has been set up to
> allow users created on the server to authenticate against LDAP when logging
> in for the first time.  However, this is failing.
>
> The server has 389 and a CA certificate.
> The client is given the CA certificate as certificate.asc.  Then, we used
> authconfig-tui to configure the client to use LDAP authentication against
> the server using TLS/SSL.
>
> In regards to a previous thread, one had brought up that there might be
> issues using LDAP authentication with TLS if the server is set up without
> DNS and has IP addresses hard-coded in /etc/hosts.  Does anyone have any
> suggestions as to why I am unable to log in against the server from my
> client machine.  The user created in LDAP is given POSIX attributes so that
> if it's a user attempting to log in for the first time, it is able to do so
> (since POSIX attributes includes Group ID, UID, etc.)
>
> Thanks.
> ________________________________________
> --
> 389-devel mailing list
> 389-de...@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-devel

--
389-devel mailing list
389-de...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-devel

Reply via email to