Re: SSL based LDAP client verification

2015-10-08 Thread Andrew Findlay
On Wed, Oct 07, 2015 at 02:13:38AM +0500, Aneela Saleem wrote:

> I have followed this link to generate self-signed certificates. I have
> successfully performed server side validation.

I assume that means that you have made an SSL or TLS connection to the server
and done an LDAP operation, so this operation should succeed:

ldapwhoami -x -H ldap://my.server.com/ -ZZ

If it does not, you may need to specify the TLS_CACERT location in
/etc/openldap/ldap.conf or temporarily provide the cert location in the
environment:

LDAPTLS_CACERT=/path/to/ca.crt ldapwhoami -x -H ldap://my.server.com/ -ZZ

Don't start trying to use any other clients until you have the command-line
ones working properly.

> What if i want to access LDAPS:/
> / from other client. I have copied servercrt.pem and serverkey.pem file on
> client machine, also added servercrt.pem file to client trust store. I'm using

NO! Don't ever give clients the secret key.

Assuming you followed http://www.openldap.org/faq/data/cache/185.html fully you
created two certificates: a master CA cert and a server-specific cert. You can
use the CA cert to create as many server certs as you like, and client machines
only need a copy of the CA cert to verify trust.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---



SSL based LDAP client verification

2015-10-06 Thread Aneela Saleem
Hi all,

I have followed this link  to
generate self-signed certificates. I have successfully performed server
side validation. What if i want to access LDAPS:// from other client. I
have copied servercrt.pem and serverkey.pem file on client machine, also
added servercrt.pem file to client trust store. I'm using LDAPjs client for
authentication. I have provided trust store path and serverkey.pem file in
the code, but i still get the following error:

crypto.js:104
  if (options.cert) c.context.setCert(options.cert);
  ^
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
at Object.exports.createCredentials (crypto.js:104:31)
at Object.exports.connect (tls.js:1334:27)
at Client._connect
(/home/aneela/node_modules/ldapjs/lib/client/client.js:736:18)
at new Client
(/home/aneela/node_modules/ldapjs/lib/client/client.js:247:22)
at Object.createClient
(/home/aneela/node_modules/ldapjs/lib/client/index.js:60:12)
at authDN (/home/aneela/client-ldapjs/app.js:15:21)
at Object. (/home/aneela/client-ldapjs/app.js:90:1)
at Module._compile (module.js:456:26)
at Object.Module._extensions..js (module.js:474:10)
at Module.load (module.js:356:32)

Please guide me if i'm doing something wrong. Which PEM files need to be
copied on client machine? Or i need to create client side certificates
separately as well?