On Sat, Nov 13, 2010 at 12:02 PM, Joel Carnat <j...@carnat.net> wrote:
> I want to use LDAP to store postfix, apache and dovecot users.
> This sounds a quite simple need so I plan to use the native ldapd.
...
> Then I created a self-signed certificate in /etc/ldap/ using directions from
> starttls(8).
> The ldapd starts and listens to ldap and ldaps ports.
> But when I run: # ldapmodify -x -H ldaps://ldapd.tumfatig.local -D
> "cn=admin,dc=tumfatig,dc=local" -W -f /tmp/tumfatig
> I get: "additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
> The ldapd (in debug mode) says: "SSL library error: ssl_session_accept:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca"
>
> Can I use ldapd with self-signed certificate ?
> Did I miss a step ?
There are two aspects to verifying a cert:
1) does it have a valid signature?
2) is the CA that signed this trustable at all?
The point of this is to know whether you can trust the contents of the
cert so that you're protected from Man-in-the-Middle attacks. If you
accepted any self-signed cert then anyone could generate a cert that
claimed to be your server, then splice your TCP connection and snoop
and modify all your data.
So, you need some way to know which certs to trust; that's where #1
and #2 come in. #1 validates that this cert can be traced back to a
particular CA, while #2 is where you decide whether that CA is okay.
#1 is done automatically by the OpenSSL code; #2 is done by putting
all the CAs you want to trust in location(s) that OpenSSL checks.
For a self-signed cert, step #1 is basically trivial, while #2 is done
by either putting a link to the cert in /etc/ssl/certs/ with a name
that's derived from a hash of the cert's subject, or adding the cert
itself to /etc/ssl/cert.pem. The latter is easy but you may find it
cluttered. To do the former, do something like:
cert_file=/absolute/path/to/the/cert.pem
ln -s $cert_file /etc/ssl/certs/`openssl x509 -noout -in
$cert_file -subject_hash`.0
Note that /etc/ssl/cert* are the default trust paths for practically
all openssl-based apps, so a cert added there will be trusted for lots
of things. If you don't like that idea then you'll need to look at
how to set the CA paths for the apps you want to trust that cert.
That's fairly specific to the involved app. starttls(8) describes the
settings for sendmail, ldap.conf(5) describes it for the OpenLDAP
libldap and clients, etc.
Philip Guenther
