[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS config question

To: Mark Johnson <markj@gilanet.com>
Subject: Re: TLS config question
From: "Kervin L. Pierre" <kervin@blueprint-tech.com>
Date: Tue, 11 Jun 2002 00:33:07 -0400
Cc: "openldap-software@OpenLDAP.org" <openldap-software@OpenLDAP.org>
References: <20020611015739.GB16114@hotdog.emsquirt.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1a) Gecko/20020608

Did you specify your cert CA in your ldap.conf on the client? 2.1 is finicky { I love that word :) } about that.

eg.
TLS_CACERT /ssl/slapdca.crt

You don't need to break up the PEM file ( I think ), but you do need have have the CA cert on the client side, so that the client can test the validity of the cert.


--Kervin

Mark Johnson wrote:

I've installed cyrus-sasl-2.1.2 and openldap-2.0.23, set up a simple
slapd.conf and test database.

When I run slapd with defaults,
$ ldapsearch -x -H "ldap://localhost:389"; -b "cn=Manager,dc=mydomain,dc=com"
produces the expected result.

Now I add these two lines to slapd.conf:
TLSCertificateFile /usr/local/etc/httpd/ssl.crt/snakeoil-rsa.crt
TLSCertificateKeyFile /usr/local/etc/httpd/ssl.key/snakeoil-rsa.key
and run:
# /usr/local/libexec/slapd -h ldaps://localhost:636

But:
$ ldapsearch -x -H "ldaps://localhost:636" -b "cn=Manager,dc=mydomain,dc=com"
ldap_bind: Can't contact LDAP server

The log shows this: Jun 10 19:16:41 hotdog slapd[16217]: slapd starting Jun 10 19:17:05 hotdog slapd[16219]: daemon: conn=0 fd=9 connection from IP=127.0.0.1:33538 (IP=127.0.0.1:31746) accepted. Jun 10 19:17:05 hotdog slapd[16219]: conn=-1 fd=9 closed

What does it mean?

TIA,

Follow-Ups:
- Re: TLS config question
  - From: Mark Johnson <markj@gilanet.com>

References:
- TLS config question
  - From: Mark Johnson <markj@gilanet.com>

Prev by Date: TLS config question
Next by Date: Re: TLS config question
Index(es):
- Chronological
- Thread