Re: Trying to get TLS Working

[Howard Chu <hyc@symas.com>]

David Wheeler wrote:

> Hi All,
>
> Pardon my newbie-ness. I'm setting up my new OpenLDAP server to  
> authenticate for Subversion and, eventually other things (postfix,  
> Bricolage, RT, etc.). But right now I'm running into trouble getting  
> TLS to work, both with the ldap clients and with  
> mod_auth_ldap/mod_ldap. Here's an example:
>
>   % ldapsearch -x -b 'dc=example,dc=com' -D  
> "cn=admin,dc=example,dc=com" \
>     -h ldap.example.com -w password -ZZ '(objectclass=*)'
>   ldap_start_tls: Connect error (-11)
>           additional info: error:14090086:SSL  
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> I set up my certificates according to the instructions on this handy  
> page:
>
>   http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
>
> And my slapd.conf TLS section look like this:
...

> I've spent a lot f time Googling to try to figure this out, but 
> haven't  had much luck. Any kind suggestions would be greatly 
> appreciated.
Run ldapsearch with debugging enabled. There are a variety of reasons 
this may be failing, but without the debug info it's impossible to say. 
Also, you didn't mention whether you've configured your ldap.conf 
properly. I will assume since you didn't mention it that you haven't 
configured it, and this obviously must be done first.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support