[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldap] OpenLDAP TLS problem

Just for yucks, modify your /etc/ldap.conf (on the client machine) by
adding the following line:


and see if you can get it to succeed that way. (this should disable the
checking for a valid CA cert). If that works then that'll verify that
you're on the right track.  My guess is that you just haven't properly
configured the client to use the correct CA cert (though I have no
specific advice on how to go about that -- it looks to me like
TLS_CACERT is the right entity -- did you try specifying that in
/etc/ldap.conf or somewhere else?)  Also, if you need to post again,
please supply the version of OpenLDAP that you're attempting this with.

good luck, ~c

Lukas Meyer wrote:

Hi list

I'm trying to set up an OpenLDAP server with TLS support. I created the needen certificates and added the essential lines to slapd.conf as described in several howtos. But I get whatever I try the same error:

TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca /usr/src/lib/libssl/ssl/../src/ssl/s3_pkt.c:1052
connection_read(9): TLS accept error error=-1 id=7, closing
connection_closing: readying conn=7 sd=9 for close
connection_close: conn=7 sd=9
daemon: removing 9
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=8 active_threads=0 tvp=NULL

As explained in several mailinglist posts everything should work after declaring the correct certificate through the TLS_CACERT variable. I also created an .ldaprc file which contains this variable. But the error occurs still.

What else can I do to solve this problem? I very welcome any suggestions!

Best regards

You are currently subscribed to ldap@umich.edu as: [cderr@simons-rock.edu]
To unsubscribe send email to ldap-request@umich.edu with the word UNSUBSCRIBE as the SUBJECT of the message.

That's one of the cool things about being a Catholic ... it's a
multifaceted experience.  If you lose the faith, chances are you'll
keep the guilt, so it isn't as if you've been skunked altogether.
 -Stephanie Plum