[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP as a ldap->ldaps proxy for apache to AD


I am having trouble setting up OpenLDAP as a ldap->ldaps proxy for
apache to AD authentication.  The proxy is running on debian sarge and
I am using the standard packages.

I can see Apache connecting to OpenLDAP, and OpenLDAP connecting to
the AD server, but it appears that there are errors in the bind phase
for the SSL connection.

When I run "slapd -d 16383" I get the below messages in the dump.

TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 20, subject: /O=RSA
Security Inc./CN=RSA Public Root CA
v1/emailAddress=rsakeonrootsign@rsasecurity.com, issuer: /L=ValiCert
Validation Network/O=ValiCert, Inc./OU=ValiCert Class 3 Policy
Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
TLS certificate verification: Error, unable to get local issuer certificate

In slapd.conf I did not do any certificate configuration, as appache
will not be connecting with SSL.  OpenLDAP runs as root, so all of my
SSL configuration is in ~root/.ldaprc.  Am I understanding correctly
that this is how it should be done.  I have double-checked the paths
to the cert files, and they are all PEM encoded.  I also know the
files are valid because Apache is using them for server authentication
to the client.

Here are what I believe to be the applicable lines from my configuration.

database       ldap
suffix         "ou=people,dc=dir,dc=svc,dc=DOMAIN,dc=com"
uri            "ldaps://AD_SERVER.DOMAIN.com:636"

TLS_CACERT /opt/cert/SSLchain.pem
TLS_CERT /opt/cert/host.domain.com.crt
TLS_KEY /opt/cert/host.domain.com.key

Not sure what I'm missing, but I'm new to OpenLDAP so it could be
something basic.  (I have checked the man pages, other docs,  and
searched the mailing lists.)