[UniMacTech] leopard RFC 2307 authentication issue ?

Peter Varitimidis Peter.Varitimidis at rmit.edu.au
Thu Nov 15 11:20:28 EST 2007 

On 14/11/2007, at 4:32 PM, Peter Varitimidis wrote:

>
> On 14/11/2007, at 3:39 AM, Nigel Kersten wrote:
>
>>
>> On Nov 12, 2007, at 4:12 PM, Kemal Demis wrote:
>>
>>> Thanks for the tip http://discussions.apple.com/thread.jspa? 
>>> messageID=5799888 worked for me.
>>> I edited the edited the TLS_REQCERT  /etc/openldap/ldap.conf and  
>>> set it to  TLS_REQCERT = never
>>> By default in  Leopard, this is set to 'demand' (which is the  
>>> openldap default), but in Tiger, it's set to 'never'.
>>> I then rebooted the machine, and now it LDAP and E-Directory  
>>> authentication works in Leopard.
>>
>> So I would suggest running something like:
>>
>> openssl s_client -showcerts -connect your.ldap.server:636
>>
>> and check whether openssl complains.
>>
>> If you copy/paste the certs from this output and trust them in the  
>> System keychain and it still doesn't work... file a bug report,  
>> and file impact data along with the bug report
>>
>> I'm seeing bugs with certain root authorities that the OS should  
>> trust but doesn't wrt DirectoryServices.
>>
>> This isn't ideal having to switch Leopard clients to a more  
>> insecure mode, and we should get Apple to fix it.
>>
>
> I am able to replicate this on eDir 8.739 Netware 6.5 sp6
>
> 10.5 clients can now can bind over SSL, and the ldap.conf file set  
> to TLS_REQCERT = demand
>
> The certificates in Keychain are not respected.
>


Working with the Novell System Administrator here, these are the  
steps we used.

1. Export the self signed CA certificate of your LDAP directory (or  
the CA that signed the server certificate you are using) and convert  
it to PEM format. Did this by adding the CA cert to the the System  
Keychain and then exporting the certificate in PEM format.

Copy ca_cert.pem to the openSSL certificate store
    cp ca_cert.pem /System/Library/OpenSSL/certs

Find the hash value of the certificate
    openssl -noout -hash -in ca_cert.pem
This will output a number which is a hash of the name and serial  
number of the certificate. Create a symbolic link to the ca_cert.pem  
as <hash>.0 eg. 5432ac1f.0
    ln -s ca_cert.pem 5432ac1f.0

The symbolic link must be for the hashed value above plus ".0" - if  
you forget the .0 then OpenSSL won't detect it.

Your LDAP directory CA is now installed as a trusted CA in the  
openSSL framework.

2. Edit /etc/openldap/ldap.conf
    #
    # LDAP Defaults
    #

    # See ldap.conf(5) for details
    # This file should be world readable but not world writable.

    #BASE	o=my_org
    #URI	ldap://ldap.example.com ldap://ldap-master.example.com:666

    #SIZELIMIT	12
    #TIMELIMIT	15
    DEREF		never
    REFERRALS       off

    TLS_REQCERT	demand
    #TLS_REQCERT	never
    #TLS_REQCERT	allow

    TLS_CACERTDIR /System/Library/OpenSSL/certs
    # Specifies the path of a directory that contains Certificate  
Authority certificates in separate
    # individual files. The TLS_CACERT is always used before  
TLS_CACERTDIR.

3. Configure your LDAP directory server in DNS and use a DNS based  
certificate for the LDAP server. For Novell eDirectory, make sure the  
LDAP server object is configured to use the "SSL CertificateDNS".

4. Configure the Directory Utility application to use the DNS name of  
your LDAP server that matches the server certificate CN.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://auc.uow.edu.au/pipermail/unimactech/attachments/20071115/3a0ed989/attachment.html

More information about the unimactech mailing list