[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS problems

I'm no expert (at all), but my experience tells me that the how to here is 
very good :

http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html

following it is rather easy and there's a lot of info (don't go too fast, like 
I did, because there are several little details that are important and not 
very striking at first sight)

BTW, the ssl start_tls is nothing from openLDAP

stF

(PS: given my previous posts which were very short-sighted, I'd say that you 
should take my advice with some, eh, prudence :))


> I have this weird problem with TLS configuration. I have this LDAP
> server working for a long time but without any use off TLS/SSL. So I
> decided to set it up to use TLS. I created a server.pem that i placed in
> /etc/ssl/openldap an configured slapd.conf and ldap.conf as I show later
> on.
>
> All seemed well if it wasn't for the following problem.
> If I execute this command line:
> ldapsearch -LLL -H ldaps://fqdn/ -x -D"cn=root,dc=dcc"
> -b"dc=alunos,dc=dcc" -W
>
> as root it works and with some other user it doesn't.
>
> As root I get all my entries in my subtree (expected) and with any other
> user I get:
>
> ldap_bind: Can't contact LDAP server (81)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
>
> (I'm only displaying the lines I added to my working configuration)
>
> My slapd.conf contains the following lines:
> [...]
>
> TLSCertificateFile      /etc/ssl/openldap/ldap.pem
> TLSCertificateKeyFile   /etc/ssl/openldap/ldap.pem
> TLSCACertificateFile    /etc/ssl/openldap/ldap.pem
>
> [....]
>
> and my /etc/ldap.conf contains the following lines:
> [....]
>
> uri ldaps://fqdn/
> ....
> ssl ssl start_tls
>
> [....]
>
>
> Pedro Silva