Failure to use certificate files provided during LDAP config

SUSE Product Topics SLES Configure-Administer
1

Hi

I’m running SLES 12 SP1, and am trying to set up use of TLS on my LDAP server.

I’ve used YaST → ‘Security and Users’ → ‘CA Management’ to create create a CA called ‘YaST_Default_CA’, executed the ‘Add Server Certificate’ wizard to create a server certificate with the common name being the FQDN of the server. Using YaST, I have exported the CA certificate, the certificate and certificate key file as separate PEM-format files.

Now, in YaST → ‘Network Services’ → ‘Authentication Server’, I want to use this certificate in the LDAP server.

In ‘Startup Configuration’, I have enabled (in ‘Protocol Listeners’) both ‘LDAP’ and ‘LDAP over SSL’.

In ‘Global Settings’ → ‘TLS Settings’, in the ‘Basic Settings’ section, I have selected ‘Enable TLS’. ‘Enable LDAP over SSL (ldaps) interface’ is also enabled. I browsed to three separate files containing the CA certificate file, the certificate file and the certificate key file. When I clicked on ‘Ok’, I got the popup message:

‘Other (e.g., implementation specific) error:’

That’s all that appeared in the error message popup. And I didn’t see anything useful written in /var/log/messages.

This is clearly a bug to me (if only because the error message is outstandingly unuseful).

Beyond getting the error message fix and/or some useful information written to /var/log/messages, what can I do to triage this error, and move to a solution?

Thanks
tl

cat /etc/os-release

NAME=“SLES”
VERSION=“12-SP1”
VERSION_ID=“12.1”
PRETTY_NAME=“SUSE Linux Enterprise Server 12 SP1”
ID=“sles”
ANSI_COLOR=“0;32”
CPE_NAME="cpe:/o:suse:sles:

2

tlemons,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot…

Good luck!

Your SUSE Forums Team
http://forums.suse.com

3

Hi tl,

[QUOTE=tlemons;39947]Hi

I’m running SLES 12 SP1, and am trying to set up use of TLS on my LDAP server.

I’ve used YaST → ‘Security and Users’ → ‘CA Management’ to create create a CA called ‘YaST_Default_CA’, executed the ‘Add Server Certificate’ wizard to create a server certificate with the common name being the FQDN of the server. Using YaST, I have exported the CA certificate, the certificate and certificate key file as separate PEM-format files.[/QUOTE]

I found your other question, where you mention that using the common server certificate is unavailable… just adding here for those like me, that wonder why you didn’t try to use the common server cert. :wink:

Could you please share the details of the certificate, i.e. derived from “openssl x509 -text -noout -in ”? I’d be especially interested in things like “key usage” while (to me) DNS names or contact information are less important and can be removed before posting here…

[QUOTE=tlemons;39947]Now, in YaST → ‘Network Services’ → ‘Authentication Server’, I want to use this certificate in the LDAP server.

In ‘Startup Configuration’, I have enabled (in ‘Protocol Listeners’) both ‘LDAP’ and ‘LDAP over SSL’.[/QUOTE]

Have you tried this without LDAP over SSL? ldaps:// is deprecated in favor of Start TLS [RFC2830].

[QUOTE=tlemons;39947]In ‘Global Settings’ → ‘TLS Settings’, in the ‘Basic Settings’ section, I have selected ‘Enable TLS’. ‘Enable LDAP over SSL (ldaps) interface’ is also enabled. I browsed to three separate files containing the CA certificate file, the certificate file and the certificate key file. When I clicked on ‘Ok’, I got the popup message:

‘Other (e.g., implementation specific) error:’

That’s all that appeared in the error message popup. And I didn’t see anything useful written in /var/log/messages.

This is clearly a bug to me (if only because the error message is outstandingly unuseful).[/QUOTE]

Have you thus opened a service request for this? These forums aren’t officially monitored by SUSE, but rather for peer2peer support.

This may be related to the server certificate, but I cannot tell if the message results from starting the LDAP server or already occurs during the configuration phase. A look at /var/log/YaST2/y2log may help to clear that.

Regards,
J