[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS problem



On 01/29/2013 01:22 AM, Chris wrote:
Hi

I am running Openldap 2.4.23 on RHEL6. I can telnet to the server on both 389 636 ports.
I can do a ldapsearch and ldapadd without any errors. I get this error when I start the slapd daemon.

ldap_start_tls_s() failed: Can't contact LDAP server: Transport endpoint is not connected (uri="ldap://ldapserver")
failed to bind to LDAP server ldap://ldapserver: Can't contact LDAP server: Transport endpoint is not connected

When I do a ldapsearch -x -d1 -Z -b 'dc=flamengro,dc=co,dc=za'

I get the following error

TLS: certificate [CA certificate details omitted here...] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 0 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
ldap_err2string
ldap_start_tls: Connect error (-11)
ÂÂÂ additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user

"Peer's certificate issuer has been marked as not trusted by the user" - this means the issuer (the CA) that issued the certificate of the server (the peer) is not trusted by the user (the ldapsearch client). This usually means you have not told ldapsearch (via ldap.conf or .ldaprc) about the CA cert of the the CA that issued the server cert.


Any help will be appreciated.

This is my slapd.conf file

includeÂÂÂÂÂÂÂÂ /etc/openldap/schema/corba.schema
includeÂÂÂÂÂÂÂÂ /etc/openldap/schema/core.schema
includeÂÂÂÂÂÂÂÂ /etc/openldap/schema/cosine.schema
includeÂÂÂÂÂÂÂÂ /etc/openldap/schema/duaconf.schema
includeÂÂÂÂÂÂÂÂ /etc/openldap/schema/dyngroup.schema
includeÂÂÂÂÂÂÂÂ /etc/openldap/schema/inetorgperson.schema
includeÂÂÂÂÂÂÂÂ /etc/openldap/schema/java.schema
includeÂÂÂÂÂÂÂÂ /etc/openldap/schema/misc.schema
includeÂÂÂÂÂÂÂÂ /etc/openldap/schema/nis.schema
includeÂÂÂÂÂÂÂÂ /etc/openldap/schema/openldap.schema
includeÂÂÂÂÂÂÂÂ /etc/openldap/schema/ppolicy.schema
includeÂÂÂÂÂÂÂÂ /etc/openldap/schema/collective.schema
allow bind_v2
pidfileÂÂÂÂÂÂÂÂ /var/run/openldap/slapd.pid
argsfileÂÂÂÂÂÂÂ /var/run/openldap/slapd.args
TLSCipherSuiteÂÂÂÂÂÂÂÂÂ HIGH
TLSCertificateFileÂÂÂÂÂ /etc/pki/tls/certs/slapdcert.pem
TLSCertificateKeyFileÂÂ /etc/pki/tls/certs/slapdkey.pem
TLSVerifyClientÂÂÂÂÂÂÂÂ never
databaseÂÂÂÂÂÂÂ bdb
suffixÂÂÂÂÂÂÂÂÂ "dc=flamengro,dc=co,dc=za"
checkpointÂÂÂÂÂ 1024 15
rootdnÂÂÂÂÂÂÂÂÂ "cn=Manager,dc=flamengro,dc=co,dc=za"
rootpwÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ secret
directoryÂÂÂÂÂÂ /var/lib/ldap/flamengro
index objectClassÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ eq,pres
index ou,cn,mail,surname,givennameÂÂÂÂÂ eq,pres,sub
index uidNumber,gidNumber,loginShellÂÂÂ eq,pres
index uid,memberUidÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ eq,pres,sub
index nisMapName,nisMapEntryÂÂÂÂÂÂÂÂÂÂÂ eq,pres,sub
database monitor
# allow only rootdn to read the monitor
access to *
ÂÂÂÂÂÂÂ by dn.exact="cn=Manager,dc=flamengro,dc=co,dc=za" read
ÂÂÂÂÂÂÂ by * none
access to attrs=userPassword,shadowLastChange
ÂÂÂÂÂÂÂ by anonymous auth
ÂÂÂÂÂÂÂ by self write
ÂÂÂÂÂÂÂ by * none

I