[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [seeking help] unknown CA

Thanks greatly for the advice. I would like to detail my problem.

I have the same php script that works on a linux machine (redhat 9). I
just installed rpms of openldap, openssl, php, apache and related, and the
script works perfectly.

However, I compiled an apache (both 1.3 and 2.0) on solaris 2.8, and the
script does not work. Neither does shell command ldapsearch work. (I use
openssl-0.9.7, php-4.3.3, openldap-2.1.22.)

In fact, on the linux machine, I didn't do anything like copying CA
certificates, at least knowingly. ldap.conf does not have TLS_CACERTDIR
but works fine. I checked the config files between the two machines, but
the configuration files seem to be the same.

When I "truss"ed ldapsearch on both machines, solaris failed while linux
worked. Also, solaris didn't call libldap or liblber while linux did.

Here're the commands and results.

$ldapsearch -v -x -H 'ldaps://ldapshost.server.com/' -b
'uid=xxxxx, ou=People,dc=server,dc=com' -D
'uid=xxxxx, ou=People,dc=server,dc=com' -W

ldap_bind: Can't contact LDAP server (81)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

filter: (objectclass=*)
requesting: ALL
version: 2
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

Here're some of truss results from solaris.
execve("/opt/openldap/bin/ldapsearch", 0xFFBEF98C, 0xFFBEF9B8)  argc = 10
mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_ANON, -  1, 0) = 0xFF3A0000
resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16
stat("/opt/openldap/bin/ldapsearch", 0xFFBEF6C8) = 0
open("/var/ld/ld.config", O_RDONLY)     Err#2 ENOENT
open("/lib/libssl.so.0.9.7", O_RDONLY)      Err#2 ENOENT
open("/usr/lib/libssl.so.0.9.7", O_RDONLY)  Err#2 ENOENT
open("/usr/local/lib/libssl.so.0.9.7", O_RDONLY) = 3
fstat(3, 0xFFBEF05C)                = 0
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
mmap(0x00000000, 278528, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
MAP_PRIVATE|MAP_FIXED,  3, 188416) = 0xFF37E000
munmap(0xFF370000, 57344)           = 0
memcntl(0xFF340000, 40020, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3)                    = 0
open("/lib/libcrypto.so.0.9.7", O_RDONLY)   Err#2 ENOENT
open("/usr/lib/libcrypto.so.0.9.7", O_RDONLY)   Err#2 ENOENT
open("/usr/local/lib/libcrypto.so.0.9.7", O_RDONLY) = 3

2) The php script is here.
    echo "<HTML><BODY>\n";
$server = "ldaps://operator.tamu.edu";
if (!$linkid) {
#ldap_start_tls($linkid); // Tried but does not work.

My basic goal is to get apache (1.3 or 2.0) working on solaris 2.8 with 
ldap, ssl and php support. I have this site:
but it seems to say I need iPlanet LDAP SDK to get ldaps on solaris. 

Any help would be greatly appreciated.


On Sun, 28 Sep 2003, Tony Earnshaw wrote:

> Ben Kim wrote:
> > I have a php script authenticating user against an ldap server (not under
> > my control) which I know has no problem.
> > But when I use it on my newly compiled server, it cannot bind with ldaps
> > protocol. Packet traces show the following exchange.
> > - client: Client Hello
> > - server: Server Hello, Certificate, Server Hello Done
> > - client: Alert (Level: Fatal, Description: Unknown CA)
> cced you, since this was a couple of days ago.
> *Assuming Linux, since you do not say*. If you have linked libphp4.so 
> against Openldap client libldap and liblber, your libphp4.so will be 
> using /usr/local/etc/ldap.conf or /etc/openldap/ldap.conf, depending on 
> your distro. NB, NOT /etc/ldap.conf. You get the ldap server admin to 
> send you a copy of the CA certificate he uses (have him gzip it, if he 
> uses email) and you put it in a directory readable by your Apache user 
> (nobody, apache, whatever) and you put the following line in ldap.conf:
> TLS_CACERTDIR  /path/to/cacertdir. This is not literal! You have to 
> substitute your own path. If you need more CA certs for different 
> purposes, you can append them into the same cacert file in the cacertdir.
> > On google, it seems to be one of the standard error strings: 
> > "   "CA"/"unknown CA"
> >           A valid certificate chain or partial chain was received, but
> > the certificate was not accepted because the CA certificate could not be
> > located or couldn't be matched with a known, trusted CA. This message
> > is always fatal."
> It is only "fatal" in the sense that it doesn't work at that moment. It 
> will not be "fatal" if you do the above.
> Best,
> --Tonni
> -- 
> Tony Earnshaw
> Millom kaksar eg litet kann trivast, millom jamningar helst er eg nøgd
> http://www.billy.demon.nl
> Mail: tonni@billy.demon.nl