[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SSL3 alert write:fatal:unknown CA
Pierre,
You might also want to add '-x' for simple authentication as well as -D
"something" -W if needed to the ldapsearch command.
This one: ldapsearch -H ldaps://sun.stars.priv -b "dc=stars,dc=priv" -d7
uses SASL and whatever mechanism the server decides is best. Hence the
ldap_sasl_interactive_bind_s error.
If your certificates are configured correctly and can be verified, it might
just work.
Cheers,
Kent Soper
"You don't stop playing because you grow old ...
you grow old because you stop playing."
Linux Technology Center, Linux Security
Phone: 1-512-838-9216
e-mail: dksoper@us.ibm.com
Pierre Burri
<pierre@globeall.de> To: OpenLDAP <openldap-software@OpenLDAP.org>
Sent by: cc:
owner-openldap-software@O Subject: Re: SSL3 alert write:fatal:unknown CA
penLDAP.org
06/26/2003 10:50 AM
Hi
thank you for your suggestion. I looked for a while on openldap.org and
didn't
find the article you are mentioning. But, I found the article "How to use I
use TLS/SSL?" in the Faq-O-Matic which gave me some answers.
I'm just testing OpenLDAP to get the know how and that's why I'm not going
to
buy a "real" certificate.
Nevertheless, I'm still curious about de document you are talking about...
Cheers, Pierre
Am Mittwoch, 25. Juni 2003 23:50 schrieb Quanah Gibson-Mount:
> Hello,
>
> I suggest reading the OpenLDAP FAQ. It has a nice long detailed
> explanation of why you probably don't want to use self-signed certs, or
if
> you do, you need to have a CA cert you can point both the server &
clients
> at.
>
> --Quanah
>
> --On Wednesday, June 25, 2003 11:16 PM +0200 Pierre Burri
>
> <pierre@globeall.de> wrote:
> > Hi,
> >
> > I'm trying to setup a LDAP server over SSL (it works already very well
> > without SSL)
> >
> > I'm using Debian Sid, package slapd, version 2.1.17-3, LDAPv3
> >
> > I made a certificate, the common name is the FQDN of the host:
> > sun.stars.priv the comand:
> >
> > ldapsearch -H ldaps://sun.stars.priv -b "dc=stars,dc=priv" -d7
> >
> > gives me the followin result:
> >
> > TLS certificate verification: depth: 0, err: 18, subject:
> >
/C=DE/ST=Berlin/L=Berlin/O=linux-age/OU=LDAP-Server/CN=sun.stars.priv/Ema
> > il=certificate@sun.stars.priv, issuer:
> >
/C=DE/ST=Berlin/L=Berlin/O=linux-age/OU=LDAP-Server/CN=sun.stars.priv/Ema
> > il=certificate@sun.stars.priv TLS certificate verification: Error, self
> > signed certificate
> > tls_write: want=7, written=7
> > 0000: 15 03 01 00 02 02 30 ......0
> > TLS trace: SSL3 alert write:fatal:unknown CA
> > TLS trace: SSL_connect:error in SSLv3 read server certificate B
> > TLS trace: SSL_connect:error in SSLv3 read server certificate B
> > TLS: can't connect.
> > ldap_perror
> > ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
> > additional info: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> >
> > What can I do that clients from other hosts than "sun" recognize my
self
> > made certificate?
> >
> > On the the server "sun", I put TLS_CACERT /etc/ldap/server.pem in file
> > /etc/ldap/ldap.conf which remove the problem, but of course only on the
> > server.
>
> --
> Quanah Gibson-Mount
> Senior Systems Administrator
> ITSS/TSS/Computing Systems
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html