[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
tls doesn't work
Hi,
I thought this will be easy :-)
I wanted to use TLS, but without using SASL (at least for now).
I created certificates for the server, and added the following to
slapd.conf:
TLSCertificateFile /etc/openldap/ldap_crt.pem
TLSCertificateKeyFile /etc/openldap/ldap_key.pem
TLSCACertificateFile /usr/local/ssl/ce3-CA/certs/cacert.pem
TLSCACertificatePath /usr/local/ssl/ce3-CA
TLSVerifyClient never
------------------------
In ldap.conf, the TLS/SSL related part looks like this:
# Netscape SDK LDAPS
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl off
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile /usr/local/ssl/ce3-CA/certs/cacert.pem
tls_cacertdir /usr/local/ssl/ce3-CA
# SSL cipher suite
# See man ciphers for syntax
tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
------------------------
Then I try to use ldapsearch with the -Z switch, and I get:
ldap_initialize( <DEFAULT> )
ldap_start_tls: Connect error (91)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldap_bind: Can't contact LDAP server (81)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
It works without the -Z switch.
One thing I suspect is (from Admin Guide)
"The DN of a server certificate must use the CN attribute to name the
server, and the CN must carry the server's fully qualified domain name "
Can somebody give an example of a correct certificate parameters ?
I use OpenSSL to create them.
Regards
Kuba