[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: problem with ldapsearch/TLS ( or Fedora Core 2?? )

great HOWTO!!

yes I did put cacert.pem in slapd.conf

this is something I have tried on the OpenLDAP server itself.

[root@myhost openldap]# openssl s_client -connect localhost:636 -showcerts
depth=1 /DC=COM/DC=Domain/DC=Corporate/OU=IS/CN=MyHost Certificate Authority/emailAddress=ca@domain.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
4363:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1052:SSL alert number 40
4363:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:

If I specify -key and -cert :
[root@myhost openldap]# openssl s_client -connect localhost:636 -showcerts -key /etc/openldap/certs/myhost.key -cert /etc/openldap/certs/myhost.crt
SSL handshake has read 2324 bytes and written 983 bytes
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 512 bit
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 3E07A62C57A11DEAFBBF0A87475A32E46D6790FE041990AB4887F80B123B179B
    Master-Key: DF7028A34CB69F1E48BF64E93C1E3F33236A1F084523A23B1A2749EDE83BB4E7472E57E4D8F4D97FBF0487D5A42BB044
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1098502481
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)

this looks like my problem is not from ldapseach but something else, right?  why do I need to specify -cert and -key to make "openssl s_client" work?  Does ldapsearch or openssl look for a default "cert" and "key" from a DEFAULT location.  (eg.  ldapsearch or openssl will look for /etc/certs/server.key and /etc/certs/server.crt ... )


"Tay, Gary" <Gary_Tay@platts.com>

10/22/2004 07:09 PM

"Barrow H Kwan" <bhkwan@thoughtworks.com>
RE: problem with ldapsearch/TLS  ( or Fedora Core 2?? )

Turn on debugging to get more hints.

Did u put cacert.pem in slapd.conf on the server and $ETC_OPENLDAP/ldap.conf on the client.

My HOWTO has hands-on steps for newbies to practise, u may find it useful.


                -----Original Message-----
                From: owner-openldap-software@OpenLDAP.org on behalf of Barrow H Kwan
                Sent: Fri 10/22/2004 10:16 AM
                To: openldap-software@OpenLDAP.org
                Subject: problem with ldapsearch/TLS ( or Fedora Core 2?? )

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature