[Date Prev][Date Next]
RE: Last attempt at TLS/SSL
Hi Kent - doesn't look like a permissions issue to me
as the CA cert (and all the directories above it, in my
case /var/tmp/certs) are all world readable.
Here is some extra info, all the lines I have turned on
in my slapd.conf file and also ldap.conf:
access to attr=userPassword
by self write
by anonymous auth
by dn.base="cn=Authenticator,dc=webtech,dc=com" read
access to * by * read
index objectClass eq
index uid pres,eq
index cn pres,eq
I see the same problem if I change over to port 389 and
don't run ldaps, but instead use "ssl start_tls". Although
when I use that, I can't even get openssl to verify the
cert. I'm agnostic as to using ldaps or ldap and TLS,
which ever would actually work would be fine.
And I actually have a copy of your how to printed out sitting
on my desk right now that I have been using it as a reference
and am wondering why openldap hates me so much because this
seems like it should be fairly easy to make work.
From: Kent Soper [mailto:email@example.com]
Sent: Thursday, June 26, 2003 3:00 PM
To: Lawrence, Mike (White Plains)
Cc: openldap-software@OpenLDAP.org; owner-openldap-software@OpenLDAP.org
Subject: Re: Last attempt at TLS/SSL
"So there's one piece of software, openssl, saying "your cert is cool".
if I try to run ldapsearch
and pass it -H "ldaps://wp-app-3.webtech.com", it will fail with this
ldap_bind: Can't contact LDAP server (81)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
I had this same error after I upgraded my versions of OpenLDAP and
Cyrus-SASL recently and did not create new certs that were used in the
Without creating new certs I got around this by copying the server CA cert
to the client box because I was missing the old client CA cert. On the
client, TLS_REQCERT was "demand" in ldap.conf and a missing CA cert caused
the cert verification to fail. Even though you state you set the client
and server certs to the same cert, you might have a permission problem on
the client side. A CA cert should be globally readable anyway.
Check permissions on all certs and keys.
Check all config files (slapd.conf, ldap.conf, and ldaprc/.lpaprc if you
have one) for the set values and for directives that are set (but unlisted)
If all else fails, give
"http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html" a quick read,
especially the configuration section.
"I've tried turning on tls_checkpeer"
I think this is an old and unused directive. It's not in the OpenLDAP
2.1.21 man pages anymore.
"You don't stop playing because you grow old ...
you grow old because you stop playing."
Linux Technology Center, Linux Security
tie line: 678-9216
This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged.
The information is intended only for the use of the individual(s) or entity named above. If you are not the intended recipient, be
aware that any disclosure, copying or distribution or use of the contents of this information is prohibited. If you have received
this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field.