-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David,
First, a little certificate background. With SSL, you have a Certificate Authority (CA) that has a certificate known as a "CA cert" (Certificate Authority Certificate) which is used to sign certificates that are installed on servers. These certificates are known as "server certs". The idea is that you have public certificate authorities (i.e. Versign) who publish their CA certs. Then, when you bring up a server that needs to use SSL, you have them sign your server certificate. When people access your server, they see that your server certificate is signed by a known and trusted CA, and therefore they trust you. Things get more complicated when you have a self-signed certificate. This is when you create your own CA cert that you use to sign a server cert. When someone accesses your server, they do not have a copy of the CA cert to verify that your server cert is valid. Most systems (such as web browsers) allow you accept and trust a server cert when you don't have the CA cert that was used to sign it. Unfortunately, the underlying libraries used by php for ldaps do not allow you to just accept the server cert. So, you need the PEM encoded CA cert that was used to sign the server cert that is installed on the ldap server. A PEM encoded file will be plain text with a "BEGIN CERTIFICATE" line at the top and an "END CERTIFICATE" line at the bottom. I've worked with several ldap server admins that aren't really sure which certificate I need. This can end up being tricky. The best clue I've been able to give them is to look at the issuer of the server cert. To find that, you need to run the openssl command you listed. Somewhere in the output, you should see a line with "Server certificate". Following it will be a "subject=" line and an "issuer=" line. The issuer= line will contain something kind of like the hostname of the CA in reverse order. I hope that helps. Josh On Wednesday, November 13, 2013 8:53:49 AM David DeMizio wrote: > Hello, I have ldap set up and going but I can't seem to get ldaps working. > I get the following error message below when running > > > openssl s_client -showcerts -CAfile > /etc/pki/tls/certs/ca-bundle.crt-connect your. > ldap.server.here:636 > > > I would like to fix this issue so I can rule out any other issues I am > having. I also tried running > > vifs --listdc --server my vcenter server and it fails with the message > displayed at the following URL: > > http://probably.co.uk/vmware-perl-sdk-error-server-version-unavailable.html > > if it set export PERL_LWP_SSL_VERIFY_HOSTNAME=0 then the vifs > --listdccommand works. Could someone assist with how the > certitifcate needs to be installed? I have a certificate from the sysadmin > but I keep gettting the error below. I'm not to sure on the steps outlined > in the configuring the web front end for ldap authentication. > > f your LDAP server's SSL certificate is self-signed, your VCL web server > needs to have the root CA certificate that was used to sign the LDAP server > certificate installed. The PEM formatted certificate needs to be added to > the ca-bundle.crt file. On CentOS, the file is located at /etc/pki/tls > /certs/ca-bundle.crt. The hostname in the certificate must match the > hostname entered in the conf.php file further down. If your certificate > does not have the correct hostname in it, you can put an entry in > /etc/hosts for the hostname in the certificate. > can someone please clarify how this needs to get configured? Thank You > Error message when running the openssl command above: > > Expansion: NO > NE > SSL-Session: > Protocol : TLSv1 > Cipher : AES128-SHA > Session-ID: > 683800009905729E42D39C584A91E4B72F4468392FB72A71FAA5AA630DF88439 > Session-ID-ctx: > Master-Key: > E24AE8C7F770D863C92D9EEF81F11A76AABB54FBAF27F19328790913C3D08291909824D7FCA0 > 372CE2DE4CA971BFB3C4 Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1384349719 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > > David DeMizio > *Academic Systems Coordinator* > Office of Information Technology > New College of Florida > Phone: 941-487-4222 | Fax: 941-487-4356 > www.ncf.edu > > On Thu, Nov 7, 2013 at 4:53 PM, David DeMizio <[email protected]> wrote: > > Hello, > > > > I'm having a difficult time configuring ldap authentication for the web > > login.I used the test script found on this mailing list and it seems to > > work with the following parameters. > > > > $server = 'serverA.internal.ncf.edu'; # ldap server hostname > > $masteracct = 'CN=VCL User,OU=Admin,DC=internal,DC=ncf,DC=edu'; # full > > DNof account with which to log in to ldap server > > $masterpass = 'mypassword'; # password for account > > > > $res = ldap_bind($ds, $masteracct, $masterpass); > > The above works fine in the test script which is also where it's failing > > in vcl/.ht-inc/authentication.php line 413. by the way, I modified > > ldapauth and authentication.php to use ldap:// instead of ldaps:// for > > the time being because ldaps is not working at all. I get invalid > > credentials line 413 of authentication.php is > > > > $res = ldap_bind($ds, $ldapuser, $passwd); > > > > my conf.php looks like this which might be the issue, I may need to > > put it in a different format. > > "server" => "serverA.internal.ncf.edu", > > > > "binddn" => "dc=internal,dc=ncf,dc=edu", > > "userid" => "uid=%s,dc=internal,dc=ncf,dc=edu", [email protected]' > > "unityid" => "samAccountName", # ldap field that contains the user's > > > > login id > > > > "firstname" => "givenname", # ldap field that contains the user's > > > > first name > > > > "lastname" => "sn", # ldap field that contains the user's > > > > last name > > > > "email" => "mail", # ldap field that contains the > > > > user's email address > > > > "defaultemail" => "@example.com", # if for some reason an email > > > > address may not be returned for a user, this is what > > > > # can be added to the user's login id to send mail > > > > "masterlogin" => "vcluser", # privileged login id for ldap server > > "masterpwd" => "mypassword", # privileged login password for > > ldapserver> > > Thanks - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlKDvK8ACgkQV/LQcNdtPQMr6ACeNx1u3/phmfC5VfaUbT5gfXmb FR8AnRtlPqysXQrLXTCrz1umPEYYRPIK =c3FQ -----END PGP SIGNATURE-----
