[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Last attempt at TLS/SSL

Hi Mike,

"So there's one piece of software, openssl, saying "your cert is cool".
if I try to run ldapsearch
and pass it -H "ldaps://wp-app-3.webtech.com", it will fail with this

ldap_bind: Can't contact LDAP server (81)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"

I had this same error after I upgraded my versions of OpenLDAP and
Cyrus-SASL recently and did not create new certs that were used in the
previous setup.
Without creating new certs I got around this by copying the server CA cert
to the client box because I was missing the old client CA cert.  On the
client, TLS_REQCERT was "demand" in ldap.conf and a missing CA cert caused
the cert verification to fail.  Even though you state you set the client
and server certs to the same cert, you might have a permission problem on
the client side.  A CA cert should be globally readable anyway.

Check permissions on all certs and keys.
Check all config files (slapd.conf, ldap.conf, and ldaprc/.lpaprc if you
have one) for the set values and for directives that are set (but unlisted)
by default.

If all else fails, give
"http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html"; a quick read,
especially the configuration section.

"I've tried turning on tls_checkpeer"

I think this is an old and unused directive.  It's not in the OpenLDAP
2.1.21 man pages anymore.


"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
tie line:     678-9216
external:  1-512-838-9216
e-mail:  dksoper@us.ibm.com