[Pkg-openldap-devel] Bug#370337: Fwd: Re: Make /etc/default/slapd automatically configurable

Petter Reinholdtsen pere at hungry.com
Thu Dec 29 21:10:29 UTC 2016 

[Ryan Tandy]
> It looks like it's possible using gnutls-cli >= 3.5.0.
>
> gnutls-cli -p 389 --x509cafile /etc/ldap/certs/ca.crt
> --starttls-proto=ldap --save-cert=ldap.example.org.crt
> ldap.example.org < /dev/null

Seem to work like a charm here:

% gnutls-cli -p 389 --x509cafile /etc/ldap/certs/ca.crt \
  --starttls-proto=ldap   --save-cert=ldap.example.org.crt \
  192.168.1.16 < /dev/null
Error setting the x509 trust file
Resolving '192.168.1.16:389'...
Connecting to '192.168.1.16:389'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `EMAIL=postmaster at postoffice.intern,CN=tjener.intern,OU=Automatically-generated LDAP SSL key,O=LDAP server,L=Skolen,ST=NA,C=NO', issuer `EMAIL=postmaster at postoffice.intern,CN=tjener.intern,OU=Automatically-generated LDAP SSL key,O=LDAP server,L=Skolen,ST=NA,C=NO', serial 0x00cbe2455339cab094, RSA key 1024 bits, signed using RSA-SHA1, activated `2012-02-02 17:24:28 UTC', expires `2022-01-30 17:24:28 UTC', key-ID `sha256:9885ac708688fa6fe941371a32ecdec6891a428647932e72ae9b01bc0075420a'
        Public Key ID:
                sha1:995429e2f6e72af62e353d864e8c276249ad0c25
                sha256:9885ac708688fa6fe941371a32ecdec6891a428647932e72ae9b01bc0075420a
        Public key's random art:
                +--[ RSA 1024]----+
                |          ..     |
                |  E . . ...      |
                |   o o ...       |
                |  . . +. o       |
                |   + + +So       |
                |    * o O =      |
                |   . . * = .     |
                |      + . .      |
                |     . =+.       |
                +-----------------+

- Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.
% diff -ur ~/ldap.example.org.crt /etc/ldap/ssl/ldap-server-pubkey.pem 
%

I guess this mean we can change /etc/init.d/fetch-ldap-cert and stop
editing /etc/default/slapd.

-- 
Happy hacking
Petter Reinholdtsen

More information about the Pkg-openldap-devel mailing list