[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL problems, server side certificate not recognized



Hi,

Send your config files to the list. Make sure you are starting slapd on the correct port (ldap: and/or ldaps:) to serve both "ssl start_tls" and "ssl on". Which to use is found in your /etc/ldap.conf file. Mine says:

ssl start_tls
tls_cacertfile /usr/local/etc/cacert.pem
tls_ciphers HIGH

My /usr/local/etc/openldap/ldap.conf contains:

TLS_REQCERT never
TLS_CACERT /usr/local/etc/cacert.pem

Note the specification of the location of the (self-signed) ca cert.

Starting slapd as follows:

/usr/local/libexec/slapd -h 'ldap:/// ldaps:///'

Note I am starting the daemon on both port 389 and port 636, I prefer start_tls, but our email clients do not support this protocol.

As a first step, you should probably get ldap working without encryption, that way you can point to encryption as the source of your "stupidity" :-)

Regards,
Chuck


At 03:54 AM 3/7/2005, Omar Al-Tabari wrote:
I'm totally ignorant regarding ldap but I must configure it to use it in my company, I need to enable SSL/TLS for its use, either TLS over port 389 or SSL over port 636, but I can't seem to make it work.

I've created a self signed certificate, as instructed in many FAQ and HOW-TO articles, but it doesn't seem to work, I also created a CA and separated the certificate from the private key and added it to the server but still no success.

i need help, it looks like I'm a total idiot that's why it doesn't work, you cant help me with my stupidity but I hope you could help me to get SSL or TLS working.

Also what needs to be done on the client side, do I copy the created certificates or do I copy nothing?

I'm using:

Fedora Core 2

Openldap 2.2.13

Chuck Theobald System Administrator The Robert and Beverly Lewis Center for Neuroimaging University of Oregon P: 541-346-0343 F: 541-346-0345