Bypass GUI LDAP configuration and do it in the CLI?

Status
Not open for further replies.
Z

zstar69

Dabbler
Joined
Aug 20, 2014
Messages
15
Please delete this..

Edit:

Omg I figured out how to encrypt my LDAP connections. I think I will pack up and go home for the day.

Just wanted to mention, it's weird how when importing a CA, you ask for a key. Shouldn't I just be able to import the CA certificate alone without a key so that my LDAP is trusted? I put the key from my certificate with an Entrust Root CA and somehow that worked. Maybe that is how it's supposed to be but it's very misleading.

When configuring SSSD on all my other systems, all I needed to do was openssl s_client -connect ldap.company.com:636 and copy paste that certificate into the cacerts dir. I really don't get the need to input a key in that box.

Either way, LDAP with start tls is working, finally.

Thanks again
 
Last edited:
Z

zstar69

Dabbler
Joined
Aug 20, 2014
Messages
15
Ok so incase anyone else is having trouble getting StartTLS/SSL working with LDAP, maybe this will help. I spent two days trying to figure out the problem and I still don't really understand, but it works.

Go to Certificates -> CA's, Import CA.

For the certitificate, import _only_ the root CA. Don't chain link them, don't do anything else. Just put the CA alone, by itself. (Do not put your servers certificate in there)

In the Private Key section (Why is this even necessary?!) put the private key from your Cert. Obviously we do not know the private key for the CA. So put in the private key for your certificate.

Magically enough, putting the Root CA and your Private key together and some bogus serial number ( I put 123456789) and selecting it in the LDAP config page makes this all work.

I am a little mind blown. I've never needed to include a private key when authenticating to my LDAP before..We've only needed to specify the CA.crt and that was it.

Having both those fields mandatory totally threw me off, and it was only right before I gave up and flipped the table over did I attempt this (for what I thought was a) silly idea of putting the Root CA along with my Certificate private key did it end up working.

I tried to chain link my cert

--BEGIN--
MY CERT
--END--
--BEGIN--
Intermediate Cert
--END--
--BEGIN--
ROOT CA CERT
--END--

And this did not work. Had to include just the "ROOT CA CERT" and the private key from "MY CERT"

Hope this helps someone..
 
Last edited:
Status
Not open for further replies.

Similar threads

T
  • Locked
Can't get tls cert to work?
Replies
2
Views
2K
James
J
UdoB
  • Locked
ldap + ssl + O=Samba Administration,OU=Samba - temporary autogenerated certificate
Replies
3
Views
3K
UdoB
UdoB
E
LDAP - How to get certificate?
Replies
16
Views
8K
tiberiusQ
T
M
  • Locked
Certificate List empty in LDAP Directory Service
Replies
2
Views
2K
Mouftik
M
E
  • Locked
Can not make LDAP integration
Replies
3
Views
2K
erktigli
E
Top