I've been setting up a new 12.3 system. I've been trying to configure LDAP/TLS and there's always something wrong.
I've been having to debug things for a couple of days now, never seeming to get closer to a stable system. Any help gratefully received.
- I use CAcert as a certificate authority for my domain name. I've installed the CAcert root certificates and have my current server certificate.
- I've used openssl to make a PKCS12 certificate out of the CAcert root certificate and imported it as a common server certificate. It imports OK and shows the correct information.
- I've added the CAcert root certificate as a certificate authority in the CA management screens
- I try to enable TLS using the yast LDAP server screens. The use common certificate box is greyed out and I can't enable it, even though I've installed the certficate.
- If I manually set up the authority and server certificate, I can no longer start LDAP. It fails with an error of "TLS init def ctx failed: -1" and stops. The only way to get it started again is to set it up without TLS.
- The documentation for the yast LDAP client is out of date. The SSL/TLS dialog box talks about a CA certificate URL for download. You're supposed to put in a URL but there's no information on what that URL should be and openSUSE 12.3: Chapter 4. LDAP—A Directory Service is out of date
- And just to cap it off, sssd authentication seems to require TLS -- you get an operation not supported error -- which means that it's not possible to set up user management in LDAP without TLS. I've worked around that by adding pam_ldap to /etc/pam.d/common-auth-pc before pam_sss but it's hardly ideal.
- Setting up things like the mail server and so on are stalled until I can work this out, since the configuration dialogs seem to want TLS.
I've been having to debug things for a couple of days now, never seeming to get closer to a stable system. Any help gratefully received.