[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: unknown CA

ThierryW wrote :
I was having the same error (unknown CA), like you write i put
TLS_CACERT /usr/local/openldap/etc/certs/CA_pubkey.pem) in ldap.conf but now i get a new error :
connection_read(14): unable to get TLS client DN error=49 id=6
then it bind anonymous..?

Howard Chu wrote:
I have just this afternoon committed the support for the TLSCACertPath.
If you pull the latest version of libldap/tls.c from CVS you'll get it.
(But in general, you are of course welcome to fix/write anything you wish.)

As for the unknown CA problem, you need to configure your LDAP clients to
use the certs as well. It looks like you have only configured slapd so far.

You probably need to add this
	TLS_CACERT /usr/local/openldap/etc/certs/CA_pubkey.pem)
to your /usr/local/openldap/etc/ldap.conf file.

-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support

-----Original Message-----
From: Tarassov Vadim [mailto:Vadim.Tarassov@winterthur.ch]
Sent: Friday, June 14, 2002 4:31 AM
To: 'Howard Chu'; Tarassov Vadim; OpenLDAP-software@OpenLDAP.org
Subject: AW: unknown CA

Hallo Howard,

Do you mind if I will fix it? And look, I believe there is something wrong with

openldap 2.1.2, openssl 1.9.6d

if build together on solaris 2.6 with forte 6 update 1. I was struggling few hours with those fancy error messages I've described before, but could not find anything besides of the fact that s_client and s_server do work well with the same certificates. Thus, I will have to investigate this problem. I will inform you regardless to if I will have success or not.

Cheers, Vadim Tarassov.