[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: SSL/TLS Ughh
That was it! I added the line to /export/openldap/etc/ldap.conf and now
ldapsearch works!
I'm still having a problem on clients on other servers though. I have
another server with pam_ldap (compiled against openldap 2.0.23-4) that
authenticates fine against this directory when "ssl starttls" is not
enabled in ldap.conf. When I enable "ssl starttls" in pam_ldap's
ldap.conf though it stops working. I ran slapd with -d -1 and no real
errors poped up (see attached debug info). Do I have to copy the
CAcertificate from the ldap server to the pam_ldap server? I haven't
created a CA certs or anything like that on the pam_ldap server. Do I
have to?
I don't know if this has anything to do with it, but ldapsearch -Z -p
636 doesnt work (ssl not working? )
ldapsearch -h localhost -p 636 -LLL -b "dc=mydomain,dc=com" -Z -s sub -x
-D "uid=lee,ou=users,dc=mydomain,dc=com" -W "(uid=lee)" -d -1
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=ldap.mydomain.com
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 3
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
.4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
.4.1.1466.20037
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: localhost port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Aug 26 15:46:32 2002
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ldap_read: want=9, got=0
ber_get_next failed.
ldap_perror
ldap_start_tls: Can't contact LDAP server (81)
Enter LDAP Password:
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 61 bytes to sd 3
0000: 30 3b 02 01 02 60 36 02 01 03 04 24 75 69 64 3d
0;...`6....$uid=
0010: 6c 65 65 2c 6f 75 3d 75 73 65 72 73 2c 64 63 3d
lee,ou=users,dc=
0020: 74 65 72 61 62 6f 6c 69 63 2c 64 63 3d 63 6f 6d
myorganiz,dc=com
0030: 80 0b 74 65 6c 6e 65 74 20 70 6f 6f 70 ..telnet
poop
ldap_write: want=61 error=Broken pipe
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 2
ldap_perror
ldap_bind: Can't contact LDAP server (81)
Thanks again for all you help,
Lee
-- Here is the debug info when trying to connect from the pam_ldap box:
daemon: new connection on 13
ldap_pvt_gethostbyname_a: host=ldapserver.mydomain.com, r=0
daemon: conn=0 fd=13 connection from IP=192.168.0.31:32848
(IP=0.0.0.0:389) accepted.
daemon: added 13r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 13r
daemon: read activity on 13
connection_get(13)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
ber_get_next
ldap_read: want=9, got=9
0000: 30 1d 02 01 01 77 18 80 16 0....w...
ldap_read: want=22, got=22
0000: 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 36
1.3.6.1.4.1.1466
0010: 2e 32 30 30 33 37 .20037
ber_get_next: tag 0x30 len 29 contents:
ber_dump: buf=0x081699c0 ptr=0x081699c0 end=0x081699dd len=29
0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34
...w...1.3.6.1.4
0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
.1.1466.20037
ber_get_next
ldap_read: want=9 error=Resource temporarily unavailable
ber_get_next on fd 13 failed errno=11 (Resource temporarily unavailable)
do_extended
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
ber_scanf fmt ({m) ber:
ber_dump: buf=0x081699c0 ptr=0x081699c3 end=0x081699dd len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e
w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
do_extended: oid=1.3.6.1.4.1.1466.20037
send_ldap_extended err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 13
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00
0....x........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00
0....x........
daemon: activity on 1 descriptors
daemon: activity on: 13r
daemon: read activity on 13
connection_get(13)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 80 7a 01 03 01 00 51 00 00 00 20 .z....Q...
tls_read: want=113, got=113
0000: 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 66 00
..............f.
0010: 00 05 00 00 04 03 00 80 01 00 80 08 00 80 00 00
................
0020: 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00 60
e..d..c..b..a..`
0030: 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00
...........@....
0040: 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02 00
................
0050: 80 c6 91 39 7d 57 6d 33 e7 88 70 6e dd fd 62 d6
...9}Wm3..pn..b.
0060: b2 9f 7d b0 73 02 25 eb b2 c8 1d 00 b1 15 b1 b5
..}.s.%.........
0070: ef .
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=1138, written=1138
0000: 16 03 01 00 4a 02 00 00 46 03 01 3d 6a 81 48 53
....J...F..=j.HS
0010: fb db bd 8f fe 9a dc 38 ff c4 23 2c 0c c9 a4 8f
.......8..#,....
0020: 03 0b 2a e5 14 51 bc 67 3a 71 f5 20 bc 35 32 31 ..*..Q.g:q.
.521
0030: 07 fe 7b 24 2a b3 35 1f 89 0e 93 79 5f 45 5a 29
..{$*.5....y_EZ)
0040: 66 99 37 86 be d3 d1 52 12 80 31 70 00 0a 00 16
f.7....R..1p....
0050: 03 01 04 15 0b 00 04 11 00 04 0e 00 04 0b 30 82
..............0.
0060: 04 07 30 82 03 70 a0 03 02 01 02 02 01 01 30 0d
..0..p........0.
0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 ab
..*.H........0..
0080: 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 11 30
1.0...U....US1.0
0090: 0f 06 03 55 04 08 13 08 4e 65 77 20 59 6f 72 6b ...U....New
York
00a0: 31 11 30 0f 06 03 55 04 07 13 08 4e 65 77 20 59
1.0...U....New Y
00b0: 6f 72 6b 31 17 30 15 06 03 55 04 0a 13 0e 54 65
ork1.0...U....Te
00c0: 72 61 62 6f 6c 69 63 2c 20 4c 4c 43 31 13 30 11 rabolic,
LLC1.0.
00d0: 06 03 55 04 0b 13 0a 54 65 63 68 6e 6f 6c 6f 67
..U....Technolog
00e0: 79 31 20 30 1e 06 03 55 04 03 13 17 74 72 61 70 y1
0...U........
00f0: 65 7a 69 75 73 2e 74 65 72 61 62 6f 6c 69 63 2e
ldap.mydomain...
0100: 63 6f 6d 31 26 30 24 06 09 2a 86 48 86 f7 0d 01
com1&0$..*.H....
0110: 09 01 16 17 77 65 62 6d 61 73 74 65 72 40 74 65
....webmaster@..
0120: 72 61 62 6f 6c 69 63 2e 63 6f 6d 30 1e 17 0d 30
mydomain.com...0
0130: 32 30 38 32 36 30 30 35 35 31 33 5a 17 0d 30 33
20826005513Z..03
0140: 30 38 32 36 30 30 35 35 31 33 5a 30 81 ab 31 0b
0826005513Z0..1.
0150: 30 09 06 03 55 04 06 13 02 55 53 31 11 30 0f 06
0...U....US1.0..
0160: 03 55 04 08 13 08 4e 65 77 20 59 6f 72 6b 31 11 .U....New
York1.
0170: 30 0f 06 03 55 04 07 13 08 4e 65 77 20 59 6f 72 0...U....New
Yor
0180: 6b 31 17 30 15 06 03 55 04 0a 13 0e 54 65 72 61
k1.0...U....My O
0190: 62 6f 6c 69 63 2c 20 4c 4c 43 31 13 30 11 06 03
Orgnaizatio.0...
01a0: 55 04 0b 13 0a 54 65 63 68 6e 6f 6c 6f 67 79 31
U....Technology1
01b0: 20 30 1e 06 03 55 04 03 13 17 74 72 61 70 65 7a
0...U....ldap..
01c0: 69 75 73 2e 74 65 72 61 62 6f 6c 69 63 2e 63 6f
mydomain.com....
01d0: 6d 31 26 30 24 06 09 2a 86 48 86 f7 0d 01 09 01
m1&0$..*.H......
01e0: 16 17 77 65 62 6d 61 73 74 65 72 40 74 65 72 61
..webmaster@tera
01f0: 62 6f 6c 69 63 2e 63 6f 6d 30 81 9f 30 0d 06 09
bolic.com0..0...
0200: 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30
*.H............0
0210: 81 89 02 81 81 00 c8 20 25 78 15 6c 2a 3b c3 57 .......
%x.l*;.W
0220: db b1 0b a7 8f 30 4c 5f a1 d8 cb 1a 80 61 8d 8d
.....0L_.....a..
0230: f2 c4 fa c8 94 5c 4b 83 2a 7c 42 57 f2 b7 c2 7d
.....\K.*|BW...}
0240: a3 44 2b 82 a9 bb d2 00 b9 9d 46 9d 3d 31 4c a4
.D+.......F.=1L.
0250: 4c 21 5e a7 7f 63 f5 83 14 5f 97 30 22 db 86 11
L!^..c..._.0"...
0260: 99 f8 96 c6 ee 83 26 ae 37 fe 7d 5a 1f b0 2d cf
......&.7.}Z..-.
0270: 04 36 c1 b3 30 dc 7f 15 ed f2 65 62 a5 81 f4 2e
.6..0.....eb....
0280: f4 2c 9a 13 1c fe a3 07 28 48 e5 58 67 b6 bd 85
.,......(H.Xg...
0290: 7b fc 05 1f e6 51 02 03 01 00 01 a3 82 01 37 30
{....Q........70
02a0: 82 01 33 30 09 06 03 55 1d 13 04 02 30 00 30 2c
..30...U....0.0,
02b0: 06 09 60 86 48 01 86 f8 42 01 0d 04 1f 16 1d 4f
..`.H...B......O
02c0: 70 65 6e 53 53 4c 20 47 65 6e 65 72 61 74 65 64 penSSL
Generated
02d0: 20 43 65 72 74 69 66 69 63 61 74 65 30 1d 06 03
Certificate0...
02e0: 55 1d 0e 04 16 04 14 6f 76 bf 1a 7b 02 48 00 33
U......ov..{.H.3
02f0: 1d 3d 69 90 27 8b 19 03 5d 78 c2 30 81 d8 06 03
.=i.'...]x.0....
0300: 55 1d 23 04 81 d0 30 81 cd 80 14 f0 bf 59 9c 9d
U.#...0......Y..
0310: 64 53 93 e0 72 85 6d a0 73 92 2d 2e a6 d8 d3 a1
dS..r.m.s.-.....
0320: 81 b1 a4 81 ae 30 81 ab 31 0b 30 09 06 03 55 04
.....0..1.0...U.
0330: 06 13 02 55 53 31 11 30 0f 06 03 55 04 08 13 08
...US1.0...U....
0340: 4e 65 77 20 59 6f 72 6b 31 11 30 0f 06 03 55 04 New
York1.0...U.
0350: 07 13 08 4e 65 77 20 59 6f 72 6b 31 17 30 15 06 ...New
York1.0..
0360: 03 55 04 0a 13 0e 54 65 72 61 62 6f 6c 69 63 2c
.U....MyOrganzi,
0370: 20 4c 4c 43 31 13 30 11 06 03 55 04 0b 13 0a 54
LLC1.0...U....T
0380: 65 63 68 6e 6f 6c 6f 67 79 31 20 30 1e 06 03 55 echnology1
0...U
0390: 04 03 13 17 74 72 61 70 65 7a 69 75 73 2e 74 65
....ldap.myorgan
03a0: 72 61 62 6f 6c 69 63 2e 63 6f 6d 31 26 30 24 06
ization.com1&0$.
03b0: 09 2a 86 48 86 f7 0d 01 09 01 16 17 77 65 62 6d
.*.H........webm
03c0: 61 73 74 65 72 40 74 65 72 61 62 6f 6c 69 63 2e
aster@myorganiz.
03d0: 63 6f 6d 82 01 00 30 0d 06 09 2a 86 48 86 f7 0d
com...0...*.H...
03e0: 01 01 04 05 00 03 81 81 00 ab 74 87 e9 e8 48 e9
..........t...H.
03f0: 1d 1d 06 2a 8d 57 bf ea a4 a1 d3 6e 39 0f 28 bf
...*.W.....n9.(.
0400: 9d b6 df 37 a4 d9 93 1e 28 cd ec 33 3a ee cd 40
...7....(..3:..@
0410: 11 5f 56 17 61 ea a4 a8 24 44 7c 16 86 e6 0c 2c
._V.a...$D|....,
0420: c9 44 92 62 15 cc 39 76 5e d2 88 7d 4e 37 97 54
.D.b..9v^..}N7.T
0430: e7 92 54 ff 43 3d 84 57 f9 20 cb e8 f0 3c b5 cf ..T.C=.W.
...<..
0440: 44 62 22 4b 28 dc 51 b2 6b b4 0f 27 6a 65 7a 43
Db"K(.Q.k..'jezC
0450: 67 aa e2 23 26 7e 29 5c 0a 8b 5f 47 cb 27 a6 9c
g..#&~)\.._G.'..
0460: 54 0c 95 3a 08 a3 c2 de b7 16 03 01 00 04 0e 00
T..:............
0470: 00 00 ..
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5, got=5
0000: 16 03 01 00 86 .....
tls_read: want=134, got=134
0000: 10 00 00 82 00 80 3a ae 5a af 10 e5 e6 16 8d c0
......:.Z.......
0010: d7 8f 58 06 79 46 6e 05 73 50 5c 52 49 04 c5 37
..X.yFn.sP\RI..7
0020: c0 f5 3f 1e 8c e8 75 88 f1 30 bb 6c d3 d9 0f 40
..?...u..0.l...@
0030: db cf 71 22 dc ed 69 5a 4a 46 2c 5f 07 29 44 70
..q"..iZJF,_.)Dp
0040: 4c a4 09 f8 ea ea d6 8e d4 67 25 ac b2 d1 c0 d8
L........g%.....
0050: 5f 37 eb 59 15 8e 1b d9 1a d4 d1 cd 5f 5d 76 5e
_7.Y........_]v^
0060: 09 4c 05 82 78 22 ee 99 c9 10 45 ff 3d 04 54 68
.L..x"....E.=.Th
0070: 8b 58 c1 83 55 6c 3c 5e 6b 4c d6 dd 10 09 04 c5
.X..Ul<^kL......
0080: f0 74 f9 27 2b fd .t.'+.
TLS trace: SSL_accept:SSLv3 read client key exchange A
tls_read: want=5, got=5
0000: 14 03 01 00 01 .....
tls_read: want=1, got=1
0000: 01 .
tls_read: want=5, got=5
0000: 16 03 01 00 28 ....(
tls_read: want=40, got=40
0000: 00 3d 32 a6 57 6b d9 e9 89 e3 07 16 ca 76 be 5a
.=2.Wk.......v.Z
0010: 71 02 f4 85 a9 bf f4 dd ab 18 7d 3e b3 e0 e0 20
q.........}>...
0020: 41 ad 95 1a f5 51 03 21 A....Q.!
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
tls_write: want=51, written=51
0000: 14 03 01 00 01 01 16 03 01 00 28 9f 73 9b 51 45
..........(.s.QE
0010: 1a fa 8e e0 97 a4 b3 72 ac 8d b8 5b 39 2e 38 01
.......r...[9.8.
0020: f5 bb 8e cf 6c b1 cf c2 59 cd 78 90 e7 0d fa 5c
....l...Y.x....\
0030: e6 33 60 .3`
TLS trace: SSL_accept:SSLv3 flush data
connection_read(13): unable to get TLS client DN error=49 id=0
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 13r
daemon: read activity on 13
connection_get(13)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
ber_get_next
tls_read: want=5, got=5
0000: 17 03 01 00 20 ....
tls_read: want=32, got=32
0000: 1d 68 08 f1 76 db c1 76 be e0 08 8d 2d 12 6b 5e
.h..v..v....-.k^
0010: 8d e1 42 0c 5c 3d 12 4f 38 a2 4d 45 2d 92 49 ad
..B.\=.O8.ME-.I.
ldap_read: want=9, got=7
0000: 30 05 02 01 02 42 00 0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x081661b8 ptr=0x081661b8 end=0x081661bd len=5
0000: 02 01 02 42 00 ...B.
ber_get_next
tls_read: want=5, got=5
0000: 15 03 01 00 18 .....
tls_read: want=24, got=24
0000: ce c3 ea 00 4b 1e 08 5b 62 2d 84 a7 ca 2d c7 0e
....K..[b-...-..
0010: 3e f9 98 1c 94 d2 52 69 >.....Ri
TLS trace: SSL3 alert read:warning:close notify
ldap_read: want=9, got=0
ber_get_next on fd 13 failed errno=0 (Success)
connection_read(13): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=13 for close
connection_close: deferring conn=0 sd=13
do_unbind
conn=0 op=1 UNBIND
connection_resched: attempting closing conn=0 sd=13
connection_close: conn=0 sd=13
daemon: removing 13
conn=0 fd=13 closed
tls_write: want=29, written=29
0000: 15 03 01 00 18 2f 6d 66 98 86 ec 4a a3 a0 2c 7a
...../mf...J..,z
0010: cf 22 0e 6c 0f 7b e0 62 7c 64 69 7a f5
.".l.{.b|diz.
TLS trace: SSL3 alert write:warning:close notify
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Monday, August 26, 2002 4:11 PM
To: Lee Hoffman; openldap-software@OpenLDAP.org
Subject: RE: SSL/TLS Ughh
Try the ldapsearch with debug messages enabled. Just add "-d -1" to the
command and see what is going on with the certificate verification.
Also,
since you have configured OpenLDAP to use /export/openldap/etc, you
should
have added the TLS_CACERT directive to /export/openldap/etc/ldap.conf. I
don't know what your /etc/ldap.conf is for.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: Lee Hoffman [mailto:lee_hoffman@brown.edu]
> Sent: Monday, August 26, 2002 1:03 PM
> To: 'Howard Chu'; openldap-software@OpenLDAP.org
> Subject: RE: SSL/TLS Ughh
>
>
> According to the updated section in the FAQ, all I need to do is add
the
> following line to /etc/ldap.conf:
>
> TLS_CACERT /export/openldap/etc/demoCA/cacert.pem
>
> (slapd.conf's TLSCACertificateFile directive points to the file
> /export/openldap/etc/demoCA/cacert.pem also)
>
> I did that, and then restart slapd, same error though.
>
> What am I doing wrong?
>
> Sincerely,
> Lee
>
>
>
>
> This FAQ http://www.openldap.org/faq/index.cgi?file=185 has just been
> updated
> with an answer to your question.
>
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support
>
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Lee Hoffman
>
> Hey All,
> I'm using Openldap 2.1.4 on Redhat 7.3 w/ openssl-0.9.6b-28 (RPM). I
> compiled
> openldap -with-tls and its works fine without TLS/SSL.
>
> However when I try:
> ldapsearch -LLL -b "dc=mydomain,dc=com" -Z -s sub -x -D
> "uid=lee,ou=users,dc=mydomain,dc=com" -W "(uid=lee)"
>
> # I get the following errors:
> #
> # ldap_start_tls: Connect error (91)
> # additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> # Enter LDAP Password:
> # ldap_bind: Can't contact LDAP server (81)
> # additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> #
> #
>
> Without the -Z switch above, the ldapsearch works fine. Likewise I can
> successfully telnet to localhost on port ldaps.
>
> Based on the above errors, it seems like this is a certificate issue.
I
> tried
> following the Openldap.org TLS/SSL FAQ for generating the certs and
> adding
> the necessary info to slapd.conf. That didn't fix the problem. I then
> used
> the commands below to try again. Still no luck, same errors above.
>
> Anyone have any ideas?
>
> Here is how I made the certificates the second time around:
>
> # From http://www.bolthole.com/solaris/LDAP.html
>
> ln -s /usr/bin/openssl ./
> ln -s /usr/share/ssl/misc/CA ./
> ./CA -newca
> ./CA -newreq
> ./CA -signreq
> openssl rsa -in newreq.pem -out ldapkey.pem
> chmod 0600 ldapkey.pem
> mv newcert.pem ldapcert.pem
> emacs /export/openldap/etc/slapd.conf
>
> #
> # Added the following to slapd.conf
> #
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile /usr/local/etc/openldap/ldapcert.pem
> TLSCertificateKeyFile /usr/local/etc/openldap/ldapkey.pem
> TLSCACertificateFile /usr/local/etc/openldap/demoCA/cacert.pem
>
> # Started slapd with the following command
> /usr/local/libexec/slapd -h "ldap:/// ldaps:///"
>
>
> Thanks,
> Lee
>
>
>
>
>
>