-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David,
If you passed "-inform pem" to openssl, then the file is in PEM format. If you just run "cat RootCA.pem", you should see the BEGIN/END lines. Assuming you see the BEGIN/END lines, you can add the contents of the file to /etc/pki/tls/certs/ca-bundle.crt (you must include the BEGIN/END lines). After doing so, the openssl s_client command should work successfully. You'll need to restart httpd so the ca-bundle.crt file is read again. If the openssl command is working, but the test script is not, you may need to add "TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt" to /etc/openldap/ldap.conf. Josh On Wednesday, November 13, 2013 1:19:07 PM David DeMizio wrote: > Hello Josh, > > The server cert is is self signed and I beleive it's in DER format., I > tried running a command sort of like this but I don't see a BEGIN > CERTIFICATE and END. > > openssl x509 -inform pem -in RootCA.pem -noout -text > > > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 79:ea:98:8c:f8:36:fe:88:45:76:fb:fe:4a:c7:e7:02 > Signature Algorithm: sha1WithRSAEncryption > Issuer: DC=edu, DC=ncf, DC=internal, CN=internal-MSADCS1-CA > Validity > Not Before: Jun 1 06:24:07 2012 GMT > Not After : Jun 1 06:34:05 2017 GMT > Subject: DC=edu, DC=ncf, DC=internal, CN=internal-MSADCS1-CA > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > 00:99:41:a8:c8:ee:fb:87:d7:b9:5e:3f:02:c3:9d: > 53:7c:f9:23:10:0a:2a:af:6d:5c:9a:10:d9:ab:e8: > cc:56:e2:05:5e:00:a5:74:bf:54:df:f3:29:b4:d1: > cc:04:dc:39:93:07:d8:51:fc:62:fe:e5:c5:91:9e: > 67:02:4b:d2:fc:cc:ba:f3:fc:61:76:aa:c9:17:13: > a8:c4:26:78:cc:7c:ad:a9:09:e9:41:b1:e4:0b:58: > 72:3c:17:71:6c:c8:fc:7e:4e:35:4b:2d:cd:03:f6: > 6e:bd:38:ed:93:17:68:87:14:28:dc:b5:79:6a:d4: > a6:cc:ea:39:f9:cc:b4:95:10:2d:f2:03:c2:4e:06: > c5:4f:06:ee:50:d5:12:5f:3a:37:1a:6d:c8:35:65: > f0:a0:81:87:ec:5e:0b:63:d4:a2:71:76:b1:92:a7: > 52:dc:da:38:8b:76:f6:40:41:8d:0d:fd:55:ee:76: > 50:c4:57:b7:12:d0:56:a1:5d:b4:38:05:8e:63:5c: > cf:b6:f9:ff:84:8a:f5:e0:ef:6e:30:cd:3a:4c:5d: > c3:57:c5:ce:ab:77:a0:13:04:f6:7e:e0:e4:a1:e5: > af:fa:7d:d7:77:15:b9:17:59:21:4f:fd:30:37:97: > bf:ef:e9:b8:74:47:3b:6b:38:94:66:e2:46:ac:bb: > 30:fb > Exponent: 65537 (0x10001) > X509v3 extensions: > 1.3.6.1.4.1.311.20.2: > ...C.A > X509v3 Key Usage: > Digital Signature, Certificate Sign, CRL Sign > X509v3 Basic Constraints: critical > CA:TRUE > X509v3 Subject Key Identifier: > EC:A5:DB:79:15:97:AC:B0:E9:00:FC:F4:9D:CF:8B:C5:9F:94:2B:A4 > 1.3.6.1.4.1.311.21.1: > ... > Signature Algorithm: sha1WithRSAEncryption > 25:bf:ac:bd:84:7e:90:99:25:87:dc:3b:7e:2f:cf:27:2c:cd: > 5c:15:e2:28:5f:f8:bf:d0:ef:4f:95:a1:41:52:40:be:4f:db: > 3e:16:df:cf:c9:be:1d:d9:fb:6f:24:58:fd:0c:b7:6a:fa:5d: > aa:0c:94:05:c4:a9:c0:f4:cd:78:ae:01:ec:1e:00:ec:5e:9a: > 55:75:e9:d4:fd:b4:fd:00:34:d6:c4:6b:47:fd:30:05:df:a7: > f3:c1:c8:b2:03:46:e7:7f:02:ad:23:0b:9b:df:ac:40:d6:2d: > e5:ff:b3:5a:25:b2:c0:c1:d0:fc:7f:b1:aa:68:b0:6f:72:ac: > 63:3e:99:e5:e3:17:8b:7c:fb:9c:36:81:ba:43:89:3b:d0:b8: > 37:d3:0e:ed:d9:5f:8c:dc:11:49:95:9d:02:ec:85:f5:a6:22: > 73:cf:bf:91:f4:8e:7d:b2:8f:c5:fc:86:37:4d:3f:5e:96:f2: > 0e:fd:7e:d7:da:53:43:4f:0e:50:0b:d6:7f:62:a8:16:e4:7b: > 2f:ff:8c:7d:6c:f0:de:af:de:f9:9e:10:df:4c:36:8a:93:a1: > 40:af:3b:56:5a:ae:32:a6:6e:40:c8:68:b5:79:93:46:41:e2: > 44:00:1e:0f:a9:74:0a:b1:24:f0:bb:63:f2:f5:ca:c0:7c:da: > 18:a1:b0:65 > > > I don't get what I'm suppose to install that and as I mentioned above , I > don't see any BEGIN CERTIFICATE and END CERTIFICATE > > On Wed, Nov 13, 2013 at 12:53 PM, Josh Thompson <[email protected]>wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > David, > > > > First, a little certificate background. With SSL, you have a Certificate > > Authority (CA) that has a certificate known as a "CA cert" (Certificate > > Authority Certificate) which is used to sign certificates that are > > installed > > on servers. These certificates are known as "server certs". The idea is > > that > > you have public certificate authorities (i.e. Versign) who publish their > > CA > > certs. Then, when you bring up a server that needs to use SSL, you have > > them > > sign your server certificate. When people access your server, they see > > that > > your server certificate is signed by a known and trusted CA, and therefore > > they trust you. > > > > Things get more complicated when you have a self-signed certificate. This > > is > > when you create your own CA cert that you use to sign a server cert. When > > someone accesses your server, they do not have a copy of the CA cert to > > verify > > that your server cert is valid. Most systems (such as web browsers) allow > > you > > accept and trust a server cert when you don't have the CA cert that was > > used > > to sign it. Unfortunately, the underlying libraries used by php for ldaps > > do > > not allow you to just accept the server cert. > > > > So, you need the PEM encoded CA cert that was used to sign the server cert > > that is installed on the ldap server. A PEM encoded file will be plain > > text > > with a "BEGIN CERTIFICATE" line at the top and an "END CERTIFICATE" line > > at > > the bottom. I've worked with several ldap server admins that aren't > > really > > sure which certificate I need. This can end up being tricky. The best > > clue > > I've been able to give them is to look at the issuer of the server cert. > > > > To > > > > find that, you need to run the openssl command you listed. Somewhere in > > the > > output, you should see a line with "Server certificate". Following it > > will be > > a "subject=" line and an "issuer=" line. The issuer= line will contain > > something kind of like the hostname of the CA in reverse order. > > > > I hope that helps. > > > > Josh > > > > On Wednesday, November 13, 2013 8:53:49 AM David DeMizio wrote: > > > Hello, I have ldap set up and going but I can't seem to get ldaps > > > > working. > > > > > I get the following error message below when running > > > > > > > > > openssl s_client -showcerts -CAfile > > > /etc/pki/tls/certs/ca-bundle.crt-connect your. > > > ldap.server.here:636 > > > > > > > > > I would like to fix this issue so I can rule out any other issues I am > > > having. I also tried running > > > > > > vifs --listdc --server my vcenter server and it fails with the message > > > > > displayed at the following URL: > > http://probably.co.uk/vmware-perl-sdk-error-server-version-unavailable.htm > > l > > > > > if it set export PERL_LWP_SSL_VERIFY_HOSTNAME=0 then the vifs > > > --listdccommand works. Could someone assist with how the > > > certitifcate needs to be installed? I have a certificate from the > > > > sysadmin > > > > > but I keep gettting the error below. I'm not to sure on the steps > > > > outlined > > > > > in the configuring the web front end for ldap authentication. > > > > > > f your LDAP server's SSL certificate is self-signed, your VCL web server > > > needs to have the root CA certificate that was used to sign the LDAP > > > > server > > > > > certificate installed. The PEM formatted certificate needs to be added > > > to > > > the ca-bundle.crt file. On CentOS, the file is located at /etc/pki/tls > > > /certs/ca-bundle.crt. The hostname in the certificate must match the > > > hostname entered in the conf.php file further down. If your certificate > > > does not have the correct hostname in it, you can put an entry in > > > /etc/hosts for the hostname in the certificate. > > > can someone please clarify how this needs to get configured? Thank You > > > Error message when running the openssl command above: > > > > > > Expansion: NO > > > NE > > > > > > SSL-Session: > > > Protocol : TLSv1 > > > Cipher : AES128-SHA > > > > > > Session-ID: > > > 683800009905729E42D39C584A91E4B72F4468392FB72A71FAA5AA630DF88439 > > > > > > Session-ID-ctx: > > > > > Master-Key: > > E24AE8C7F770D863C92D9EEF81F11A76AABB54FBAF27F19328790913C3D08291909824D7FC > > A0> > > > 372CE2DE4CA971BFB3C4 Key-Arg : None > > > > > > Krb5 Principal: None > > > PSK identity: None > > > PSK identity hint: None > > > Start Time: 1384349719 > > > Timeout : 300 (sec) > > > Verify return code: 21 (unable to verify the first certificate) > > > > > > David DeMizio > > > *Academic Systems Coordinator* > > > Office of Information Technology > > > New College of Florida > > > Phone: 941-487-4222 | Fax: 941-487-4356 > > > www.ncf.edu > > > > > > On Thu, Nov 7, 2013 at 4:53 PM, David DeMizio <[email protected]> wrote: > > > > Hello, > > > > > > > > I'm having a difficult time configuring ldap authentication for the > > > > web > > > > login.I used the test script found on this mailing list and it seems > > > > to > > > > work with the following parameters. > > > > > > > > $server = 'serverA.internal.ncf.edu'; # ldap server hostname > > > > $masteracct = 'CN=VCL User,OU=Admin,DC=internal,DC=ncf,DC=edu'; # full > > > > DNof account with which to log in to ldap server > > > > $masterpass = 'mypassword'; # password for account > > > > > > > > $res = ldap_bind($ds, $masteracct, $masterpass); > > > > The above works fine in the test script which is also where it's > > > > failing > > > > > > in vcl/.ht-inc/authentication.php line 413. by the way, I modified > > > > ldapauth and authentication.php to use ldap:// instead of ldaps:// > > > > for > > > > the time being because ldaps is not working at all. I get invalid > > > > credentials line 413 of authentication.php is > > > > > > > > $res = ldap_bind($ds, $ldapuser, $passwd); > > > > > > > > my conf.php looks like this which might be the issue, I may need to > > > > put it in a different format. > > > > "server" => "serverA.internal.ncf.edu", > > > > > > > > "binddn" => "dc=internal,dc=ncf,dc=edu", > > > > "userid" => "uid=%s,dc=internal,dc=ncf,dc=edu", > > > > [email protected]' > > > > "unityid" => "samAccountName", # ldap field that contains the > > > > user's > > > > > > login id > > > > > > > > "firstname" => "givenname", # ldap field that contains the > > > > user's > > > > > > first name > > > > > > > > "lastname" => "sn", # ldap field that contains the > > > > user's > > > > > > last name > > > > > > > > "email" => "mail", # ldap field that contains the > > > > > > > > user's email address > > > > > > > > "defaultemail" => "@example.com", # if for some reason an email > > > > > > > > address may not be returned for a user, this is what > > > > > > > > # can be added to the user's login id to send mail > > > > > > > > "masterlogin" => "vcluser", # privileged login id for ldap > > > > server > > > > > > "masterpwd" => "mypassword", # privileged login password for > > > > ldapserver> > > > > > > > > Thanks > > > > - -- > > - ------------------------------- > > Josh Thompson > > VCL Developer > > North Carolina State University > > > > my GPG/PGP key can be found at pgp.mit.edu > > > > All electronic mail messages in connection with State business which > > are sent to or received by this account are subject to the NC Public > > Records Law and may be disclosed to third parties. > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v2.0.19 (GNU/Linux) > > > > iEYEARECAAYFAlKDvK8ACgkQV/LQcNdtPQMr6ACeNx1u3/phmfC5VfaUbT5gfXmb > > FR8AnRtlPqysXQrLXTCrz1umPEYYRPIK > > =c3FQ > > -----END PGP SIGNATURE----- - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlKDxJ4ACgkQV/LQcNdtPQMfMACbB8No6+n8LiWnkiJZ3s2vnxCb En0An1HEDkKz3nB/kB71geHDCtMFa1h6 =rkau -----END PGP SIGNATURE-----
