Re: Unable to connect via TLS

[Patrick Radtke <phr2101@columbia.edu>]

On Jul 6, 2004, at 12:17 PM, Jean-Denis Langelier wrote:

> I tried putting putenv(
> strdup("LDAPTLS_CACERT=./cert")); before my ldap_init
> statment, and now I just get
>
> ldap_start_tls_s: Connect error (91)
> ldap_simple_bind_s: Can't contact LDAP server (81)
>
> as error messages.
>
> Excuse my ignorence on the subject, but what exactly
> does the cert file do?  Do I need to put something in
> it before executing my program?
Your ldap server has a certificate that says "I am ldap.usherbrooke.ca".
But since anyone could make such a certificate, your ldap server's 
certificate is signed by a Certificate Authority (CA).
The CA is someone you trust, and the server trusts, and therefor when 
you get the certificate from your ldap server, you can trust that you 
are really talking to your ldap server.
Therefor you need a copy of the CA's certificate on your machine (so 
that you can use it to verify the certificate from the ldap server).

You'll have to contact someone in your organization about where the to 
get the CA certificate.
> Oh, and I tried connecting with ldapsearch using the
> following:
>
> ldapsearch -h ldap.usherbrooke.ca -ZZ
>
> and I get the following message:
>
> ldap_start_tls: Connect error (91)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed
>
> wich is stragely familliar to the one I get with my
> program.
>
> Thanks!

The tools need to know where the CA certificate is too. Once you've 
received the CA certificate, edit your ldap.conf file and add
TLS_CACERT=path to CA cert.

see man ldap.conf for more info


good luck,

Patrick