[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP client test program connecting to LDAP server over SSL failed

To: "daisy.wu@emc.com" <daisy.wu@emc.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: OpenLDAP client test program connecting to LDAP server over SSL failed
From: "Mahadevan, Venkatasubramanian" <Venkatasubramanian.Mahadevan@ubc.ca>
Date: Tue, 30 Aug 2011 23:13:00 -0700
Accept-language: en-US, en-CA
Acceptlanguage: en-US, en-CA
Content-language: en-US
In-reply-to: <3BEF3EB4EF54934A9ACB285651CBD92D04DC9FAD@MX05A.corp.emc.com>
References: <3BEF3EB4EF54934A9ACB285651CBD92D04DC9F9F@MX05A.corp.emc.com> <6DBC801F1371BD4B8A75D2004D5A572F08057E56DF@mbx1.mercury.ad.ubc.ca>, <3BEF3EB4EF54934A9ACB285651CBD92D04DC9FAD@MX05A.corp.emc.com>
Thread-index: AcxkSzhBrqu1O/TLTIqB3BHE8cFLdADLh/GwAACCtfAACNT30AABQIlb
Thread-topic: OpenLDAP client test program connecting to LDAP server over SSL failed

Hi Daisy,

-- create an environment variable LDAPCONF
<DAISY>:  Question, what value is this environment variable set to?  Does OpenSSL or OpenLDAP use this env variable?

> You should set the environment variable LDAPCONF to the location of your ldap configuration file. In my case, I called
the file ldap_ssl_cert_config and I placed it in my home directory. So you would then run:

export LDAPCONF = /home/ven/ldap_ssl_cert_config

Alternately, you could also have a .ldaprc file in your home directory instead of setting this variable.

-- create a file called ldap_ssl_cert_config and placed the following line in it:
TLS_CACERTDIR /etc/pki/tls
<DAISY>:  Question, in what directory should I create this file?  How is this file “ldap_ssl_cert_config” file used?  How does OpenLDAP client know what file to look for, in which directory?

> Sorry, I should have explained this better. The environment variable LDAPCONF must point to the location of this file as shown above.
Create it in any text editor and place the line TLS_CACERTDIR <path to root cert bundle> within this file. The OpenLDAP libraries will either
look for the environment variable LDAPCONF or for a .ldaprc file in your home directory.

And /etc/pki/tls does not exist in my file system.  What is this “/etc/pki/tls” anyway?

> TLS_CACERTDIR specifies the location of the SSL certificates root bundle of your OpenSSL installation. In Red Hat Enterprise Linux,
this bundle is located in /etc/pki/tls. What OS are you using? It will depend on that and your OpenSSL installation. Also, see
this for more detailed info: http://linux.die.net/man/5/ldap.conf

cheers,

Ven


From: Mahadevan, Venkatasubramanian [mailto:Venkatasubramanian.Mahadevan@ubc.ca]
Sent: Tuesday, August 30, 2011 6:25 PM
To: Wu, Daisy; openldap-technical@openldap.org
Subject: RE: OpenLDAP client test program connecting to LDAP server over SSL failed

> It failed because of this error: ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Hi Daisy,

I have noticed that sometimes depending on the version of OpenSSL you are linking the LDAP libraries to, it will throw this
error. So what I did was:
-- create an environment variable LDAPCONF
-- create a file called ldap_ssl_cert_config and placed the following line in it:
TLS_CACERTDIR /etc/pki/tls
-- ran my program

Then it worked and I did not get the error anymore. Hope this helps.

cheers,

Ven

References:
- OpenLDAP client test program connecting to LDAP server over SSL failed
  - From: <daisy.wu@emc.com>
- RE: OpenLDAP client test program connecting to LDAP server over SSL failed
  - From: "Mahadevan, Venkatasubramanian" <Venkatasubramanian.Mahadevan@ubc.ca>
- RE: OpenLDAP client test program connecting to LDAP server over SSL failed
  - From: <daisy.wu@emc.com>

Prev by Date: RE: OpenLDAP client test program connecting to LDAP server over SSL failed
Next by Date: Re: User quota control under LDAP.
Index(es):
- Chronological
- Thread