[Date Prev][Date Next] [Chronological] [Thread] [Top]

openldap-2.0/TLS certificate error



I've been trying to get the 2.0/dev version to talk SSL/TLS and am having  
trouble with the certificates. I read through the TLS faq
(http://www.openldap.org/faq/index.cgi?_highlightWords=ssl&file=185) and set
up the certificates the following way:

openssl req -new > new.cert.csr
openssl rsa -in privkey.pem -out ldap.key
openssl x509 -in new.cert.csr -out ldap.cert -req -signkey ldap.key -days 365

Then added to slapd.conf:

TLSCertificateFile      /usr/local/ssl/certs/ldap.cert
TLSCertificateKeyFile   /usr/local/ssl/certs/ldap.key

Started slapd: /usr/local/libexec/slapd -h "ldap:/// ldaps:///" -d 9

Then if I try and fire of an ldapsearch:

ldapsearch -b o=mp3.com,c=us -Z uid=scottk

ldapsearch error: 

ldap_bind: Local error additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The slapd debug output is as follows:

do_extended
ber_scanf fmt ({a) ber:
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 10
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10): got connid=2
connection_read(10): checking for input on id=2
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10): got connid=2
connection_read(10): checking for input on id=2
TLS trace: SSL3 alert read:fatal:unknown
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:956
connection_read(10): TLS accept error error=-1 id=2, closing
connection_closing: readying conn=2 sd=10 for close


Any thoughts/suggestions as to why I can't perform a secure ldapsearch? Thanx
in advance.

I'm using:

openldap-2.0 (just updated this morning 6/12/00)
openssl-0.9.5.a

-- 
Scott Kelley		      MP3.com, the Premier Music Service Provider (MSP)
Engineering	
MP3.com, Inc.
scottk@mp3.com
Office: (858)623-7336
Cell:   (858)382-3749