[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
openldap tls problem
hi,
i hope this is the right list for my problem, if not sorry in advance.
i want to configure slapd to use tls. i have a certifikate signed by
globalsign and the following lines in my slapd.conf:
<snip>
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/postfix/certs/ldap.pem
TLSCertificateKeyFile /etc/postfix/certs/ldap.key
TLSCACertificateFile /etc/postfix/certs/globalsign-domainssl.pem
</snip>
but when issuing a ldapsearch on another machine i still get an error:
<snip>
# ldapsearch -bdc=xxx,dc=at -Dcn=admin,dc=xxx,dc=at -hldap.xxx.at -p389
-x -W -ZZ -d5 objectClass=*
...
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=GTE
Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global
Root, issuer: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions,
Inc./CN=GTE CyberTrust Global Root
TLS certificate verification: Error, self signed certificate in
certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
</snip>
the same globalsign-certificates work well with my apache.
any hints?
lg, Michael Fischer
--
email: michi.fischer@gmx.net
web: http://www.webfischer.at