During my preparation for RHCSA+RHCE exams (I have to recertificate as I passed my previous RHCE on RHEL4) I encountered some serious problems with ssl and openldap (slapd) server.
I created self-signed certificate:
openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapd.crt -keyout /etc/pki/tls/certs/slapd.key -days 365
and added following lines to /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif
olcTLSCACertificateFile: /etc/pki/tls/certs/slapd.crt olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapd.key
Everything seemed to work fine, but I couldn`t query ldap using ldaps uri – I got the following error message:
ldapsearch -x -H ldaps://localhost -b 'dc=example,dc=com' ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
After short and intensive investigation, reading dozens of howto pages I founded the cause – it turned out that in RHEL6 you can`t use self-signed certificates. Well, maybe it`s not that they forbid you to do this, but it`s not as simple as it was in previous versions. Now you have to explicitly add your certificate so that is no longer unknown. There`s even more – you have to configure your Common Name field of the certificate so it matches exactly your server`s name.
So eventually to solve this issue I had to confgure ldap tools/clients and add path to server`s certificate to /etc/openldap/ldap.conf:
TLS_CACERT /etc/pki/tls/certs/slapd.crt
So nothing is the same now – RHEL6 brings new features, new tools and new problems 
It`s time to learn and adapt.
Comments are closed.