RE: [seeking help] unknown CA

["Howard Chu" <hyc@symas.com>]

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Ben Kim

> Thanks greatly for the advice. I would like to detail my problem.
>
> I have the same php script that works on a linux machine (redhat 9). I
> just installed rpms of openldap, openssl, php, apache and
> related, and the
> script works perfectly.
>
> However, I compiled an apache (both 1.3 and 2.0) on solaris
> 2.8, and the
> script does not work. Neither does shell command ldapsearch
> work. (I use
> openssl-0.9.7, php-4.3.3, openldap-2.1.22.)
>
> In fact, on the linux machine, I didn't do anything like copying CA
> certificates, at least knowingly. ldap.conf does not have
> TLS_CACERTDIR
> but works fine. I checked the config files between the two
> machines, but
> the configuration files seem to be the same.

RedHat's openldap rpms are extremely old, they still ship OpenLDAP 2.0.25.
The OpenLDAP 2.0 client library didn't do certificate verification by
default, which is why your Linux install "works" without any CA cert
configuration. It is working, but it's not providing any real security. Set
the TLS_CACERT in the OpenLDAP ldap.conf file. Don't use TLS_CACERTDIR unless
you've read the OpenLDAP Admin Guide and the OpenSSL docs and actually know
what you're doing.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support