[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Connect to LDAP via ssl failed
You have to make sure that a private key is associated with the
certificate that is generated. If you have a Red Hat Linux installation
available, it is quite easy to generate a certificate for use with your
AD server.
For Red Hat do the following:
1. Verify that OpenSSL is installed (rpm -q openssl). Install if
necessary.
2. cd /usr/share/ssl/certs/
3. make SOMEFILE.pem
4. Input the data requested.
5. openssl pkcs12 -export -in SOMEFILE.pem -out SOMEFILE.p12 -name
"SOMENAMEHERE"
6. Transfer the p12 file to the AD server and import it into the
Personal Computer store and the Trusted Root CA store.
Those are the exact steps I took and then I could use SSL with
ldapsearch (which, I believe, uses the same ldap_* calls as you are
trying to make with VC) to connect to our domain controllers.
Hope this helps,
Andy.
-----Original Message-----
From: afardong [mailto:afardong@263.sina.com]
Sent: Thursday, December 05, 2002 8:31 PM
To: Rechenberg, Andrew; openldap-software@OpenLDAP.org
Subject: Re: Connect to LDAP via ssl failed
hi,
Thanks for your advice. Our administrator of AD server had genertaed a
certificate, imported into Personal Computer store, and the Trusted Root
CA store on itselfe before, but I still failed to connect the AD server
from remote host via ssl. Here's the result I use openssl(in linux) to
verify the cerfiticate of the AD server:
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
3D1400009BBAA03598DC56D949FC28D940924372EEF40AF8D8A37AD8A8A83F56
Session-ID-ctx:
Master-Key:
D60476FD2077EC2A5D440EA81DE35FCAF9DAB3DA7537207724705C00ADE06693C839490F
7B2128F3E01E62FF72C21432
Key-Arg : None
Start Time: 1039137298
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
I'd like to take your way to have a try while I don't kown how to
generated a new certificate with openssl(in windows) and how to import
it into the Personal Computer store, and the Trusted Root CA store.
Thanks a lot :-)
Afar
_________________________________
Things would always be better than what we had expected...
So Try and Learn and Get more! :-)
----- Original Message -----
From: "Rechenberg, Andrew" <arechenberg@shermfin.com>
To: "afardong" <afardong@263.sina.com>; <openldap-software@OpenLDAP.org>
Sent: Thursday, December 05, 2002 9:31 PM
Subject: RE: Connect to LDAP via ssl failed
WRT Active Directory, I believe that the AD server has to have a valid
certificate with the fully qualified domain name of the server as the CN
in the certificate. I had the same problem not being able to connect to
an Active Directory via SSL with ldapsearch from Red Hat Linux and the
certificate that was issued to the AD server by our MS CA had expired.
I generated a new certificate with OpenSSL, imported it into the
Personal Computer store, and the Trusted Root CA store on the AD server,
and then I was able to use SSL with ldapsearch to connect to the AD
server.
If I'm way off on this one, someone please correct me.
Regards,
Andy.
-----Original Message-----
From: afardong [mailto:afardong@263.sina.com]
Sent: Thursday, December 05, 2002 1:38 AM
To: openldap-software@OpenLDAP.org
Subject: Connect to LDAP via ssl failed
Hi,
I am trying to perform some searching jobs wish VC from remote LDAP
Server or Active Directory. The job is divided into the following steps:
ldap_init, ldap_set_option(version3),ldap_connect,ldap_bind_s, then
ldap_search_s and print the results etc. The code runs well with those
steps while I try to connect the remote LDAP Server via ssl, problem
comes. Using the ldap_sslinit instead of ldap_init, I got error "Cannot
contact the LDAP server." every time when doing ldap_connect. I use
netstat to monitor the connection status and did find the code get
connected with the remote server(port 636).
Could anyone give me some advices?Thanks:-)
afar