[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: tls doesn't work

To: "'Kuba Leszewski'" <k.leszewski@ce3.pl>, <openldap-software@OpenLDAP.org>
Subject: RE: tls doesn't work
From: "Howard Chu" <hyc@highlandsun.com>
Date: Fri, 4 Apr 2003 10:29:46 -0800
Importance: Normal
In-reply-to: <1049447842.2149.9.camel@kuba.ce3.pl>

You are setting the wrong ldap.conf. The file you quoted below is not
processed by the OpenLDAP library, therefore your SSL settings are not being
used, and the library does not know where your CA cert is. Put the settings
in the correct file.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Kuba Leszewski

> Hi,
>
> I thought this will be easy :-)
> I wanted to use TLS, but without using SASL (at least for now).
> I created certificates for the server, and added the following to
> slapd.conf:
> TLSCertificateFile      /etc/openldap/ldap_crt.pem
> TLSCertificateKeyFile   /etc/openldap/ldap_key.pem
> TLSCACertificateFile    /usr/local/ssl/ce3-CA/certs/cacert.pem
> TLSCACertificatePath    /usr/local/ssl/ce3-CA
> TLSVerifyClient         never
>
> ------------------------
> In ldap.conf, the TLS/SSL related part looks like this:
> # Netscape SDK LDAPS
> #ssl on
>
> # Netscape SDK SSL options
> #sslpath /etc/ssl/certs/cert7.db
>
> # OpenLDAP SSL mechanism
> # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
> ssl start_tls
> #ssl off
>
> # OpenLDAP SSL options
> # Require and verify server certificate (yes/no)
> # Default is "no"
> #tls_checkpeer yes
>
> # CA certificates for server certificate verification
> # At least one of these are required if tls_checkpeer is "yes"
> tls_cacertfile /usr/local/ssl/ce3-CA/certs/cacert.pem
> tls_cacertdir /usr/local/ssl/ce3-CA
>
> # SSL cipher suite
> # See man ciphers for syntax
> tls_ciphers TLSv1
>
> # Client certificate and key
> # Use these, if your server requires client authentication.
> #tls_cert
> #tls_key
>
> ------------------------
> Then I try to use ldapsearch with the -Z switch, and I get:
> ldap_initialize( <DEFAULT> )
> ldap_start_tls: Connect error (91)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> ldap_bind: Can't contact LDAP server (81)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
>
> It works without the -Z switch.
>
> One thing I suspect is (from Admin Guide)
> "The DN of a server certificate must use the CN attribute to name the
> server, and the CN must carry the server's fully qualified
> domain name "
>
> Can somebody give an example of a correct certificate parameters ?
> I use OpenSSL to create them.
>
>
> Regards
> Kuba
>
>
>
>
>

Follow-Ups:
- RE: tls doesn't work
  - From: Alberto Patino <jalbertop@aranea.com.mx>

References:
- tls doesn't work
  - From: Kuba Leszewski <k.leszewski@ce3.pl>

Prev by Date: Re: DefaultSearchBase / ForceSearchBase
Next by Date: RE: compiling openldap & mingw under msys - Howard Chu?
Index(es):
- Chronological
- Thread