[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Can't get TLS working.
no .ldaprc in any homedir
no /etc/ldap.conf
no /etc/openldap directory
clean /usr/local/etc/openldap/ldap.conf (no variables defined there)
only /usr/local/etc/ldap.conf (for pam_ldap) and
/usr/local/etc/nss_ldap.conf (for nss with ldap)
2010/9/15 Dieter Kluenter <dieter@dkluenter.de>:
> c0re <nr1c0re@gmail.com> writes:
>
>> Sorry, forgot to mention that I've tested that certificates are OK.
>>
>> # starting slapd
>>
>> /usr/local/libexec/slapd -u ldap -d 1 -h ldaps:///
>>
>> # making test:
>>
>> openssl s_client -connect 127.0.0.1:636 -CAfile
>> /usr/local/etc/openldap/ssl-client/root.crt -showcerts
>>
>> # output of test in openssl command:
> [...]
>> Certificate chain
>> 0 s:/C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com
>> i:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com
>> -----BEGIN CERTIFICATE-----
>> <certificate>
>> .....
>> </certificate>
>> -----END CERTIFICATE-----
>> 1 s:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com
>> i:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com
>> -----BEGIN CERTIFICATE-----
>> <certificate>
>> .....
>> </certificate>
>> -----END CERTIFICATE-----
>> ---
>> Server certificate
>> subject=/C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com
>> issuer=/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 1811 bytes and written 462 bytes
>> ---
> [...]
>> Verify return code: 0 (ok)
> [...]
>
> Ther are no errors in certificate chain and the server cert has been
> veryfied, so the certificate chain is OK. Please check all relevant
> configuration files that is /etc/openldap/ldap.conf, /etc/ldap.conf
> and probably ~/.ldaprc for any TLS configuration.
>
> -Dieter
>
> --
> Dieter Klünter | Systemberatung
> sip: 7770535@sipgate.de
> http://www.dpunkt.de/buecher/2104.html
> GPG Key ID:8EF7B6C6
>