[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unable to connect via TLS

On Jul 6, 2004, at 12:17 PM, Jean-Denis Langelier wrote:

I tried putting putenv(
strdup("LDAPTLS_CACERT=./cert")); before my ldap_init
statment, and now I just get

ldap_start_tls_s: Connect error (91)
ldap_simple_bind_s: Can't contact LDAP server (81)

as error messages.

Excuse my ignorence on the subject, but what exactly
does the cert file do?  Do I need to put something in
it before executing my program?
Your ldap server has a certificate that says "I am ldap.usherbrooke.ca".
But since anyone could make such a certificate, your ldap server's certificate is signed by a Certificate Authority (CA).
The CA is someone you trust, and the server trusts, and therefor when you get the certificate from your ldap server, you can trust that you are really talking to your ldap server.
Therefor you need a copy of the CA's certificate on your machine (so that you can use it to verify the certificate from the ldap server).

You'll have to contact someone in your organization about where the to get the CA certificate.

Oh, and I tried connecting with ldapsearch using the following:

ldapsearch -h ldap.usherbrooke.ca -ZZ

and I get the following message:

ldap_start_tls: Connect error (91)
        additional info: error:14090086:SSL
verify failed

wich is stragely familliar to the one I get with my


The tools need to know where the CA certificate is too. Once you've received the CA certificate, edit your ldap.conf file and add
TLS_CACERT=path to CA cert.

see man ldap.conf for more info

good luck,