[Pkg-openldap-devel] problem with verifying server-certificate

[t.becker at fh-bingen.de]

Zitat von Quanah Gibson-Mount <quanah at stanford.edu>:

>
>
> --On Thursday, August 17, 2006 1:38 PM +0200 t.becker at fh-bingen.de wrote:
>
> > Hello,
> >
> > i have installed a Debian Testing System within a Linux-Vserver.
> > I have slapd 2.3.24-2 installed and configured.
> > With pyca I built a simple ca and created self signed root-certificate,
> > server-certificate and certificate for the slapd server that was signed
> > from serverCA.
>
> Is this version of slapd running as a user other than root?  If so, it is
> likely a known problem with running slapd as a non-root user on debian
> systems, where the older 2.1 version libraries also get loaded into the
> user space, and the GnuTLS patch to them causes conflicts with slapd
> processing SSL/TLS requests properly.
>
> --Quanah
>
No, the slapd is running as root.

I did a little more testing. I have created new rootCA and slapd certificates.
The certificates where build with the tools from openssl (CA.sh), with CA.sh
-newca / CA.sh -newreq / CA.sh -signreq.
I tried to get the password out of the certificate like discribed in my book,
with openssl rsa -in newcert.pem -out ldapkey.pem,
but this gives me the error, that there is now private key in the certificate...

But when I start the slapd he asks me for the password, and after giving the
password, starts without errors. Now just one reaction has changed:

If I comment out the line "tls_checkpeer no" in pam_ldap.conf,The login will not
hang, but I will be asked for my password while trying to login and then get the
message, that I am not allowed, and be asked for another password.


Torsten
> --
> Quanah Gibson-Mount
> Principal Software Developer
> ITS/Shared Application Services
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
>




----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.