[Date Prev][Date Next]
Re: OpenLDAP as a ldap->ldaps proxy for apache to AD
- To: openldap-software@OpenLDAP.org
- Subject: Re: OpenLDAP as a ldap->ldaps proxy for apache to AD
- From: Don Wood <email@example.com>
- Date: Mon, 13 Jun 2005 15:05:48 -0500
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; sūta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:references; b=Fz1+avVgiJV4FUeku0+wWFOJ7WvS2JMRVOTe1GQwRI/p/JoXBPCdHQ5q9SkOrKF4yppMFzfCgXMDJ1pAozNFOYcxIjCHtN0NkD62pYyta0RGOuUiXgypBozixnxrUv5d5S3vroErQNgif7XrCTUMyt4Yh5lewmKBy2KXxnw4l+IReceived: by 10.38.4.77 with SMTP id 77mr39050rnd; Mon, 13 Jun 2005 13:05:49 -0700 (PDT)
- In-reply-to: <42ADE0F1.firstname.lastname@example.org>
- References: <email@example.com> <42ADE0F1.firstname.lastname@example.org>
Thanks, and sorry for the omission. I am running OpenLDAP 2.2.23.
Following your advice I tried adding the following lines to my slapd.conf
It didn't appear to make any difference, and I still get the "TLS
certificate verification: Error, unable to get local issuer certificate"
On 6/13/05, Howard Chu <email@example.com> wrote:
> You didn't mention the OpenLDAP version, which is probably significant
> here. In older versions of OpenLDAP a single TLS context was used for
> slapd. In newer versions, there are separate contexts for slapd as a
> server vs slapd as a client (e.g. back-ldap). Try adding the equivalent
> TLS settings to slapd.conf.
> Don Wood wrote:
> > Hello,
> > I am having trouble setting up OpenLDAP as a ldap->ldaps proxy for
> > apache to AD authentication. The proxy is running on debian sarge and
> > I am using the standard packages.
> > I can see Apache connecting to OpenLDAP, and OpenLDAP connecting to
> > the AD server, but it appears that there are errors in the bind phase
> > for the SSL connection.
> > When I run "slapd -d 16383" I get the below messages in the dump.
> > TLS trace: SSL_connect:SSLv3 read server hello A
> > TLS certificate verification: depth: 2, err: 20, subject: /O=RSA
> > Security Inc./CN=RSA Public Root CA
> > v1/emailAddressfirstname.lastname@example.org, issuer: /L=ValiCert
> > Validation Network/O=ValiCert, Inc./OU=ValiCert Class 3 Policy
> > Validation Authority/CN=
> > TLS certificate verification: Error, unable to get local issuer
> > In slapd.conf I did not do any certificate configuration, as appache
> > will not be connecting with SSL. OpenLDAP runs as root, so all of my
> > SSL configuration is in ~root/.ldaprc. Am I understanding correctly
> > that this is how it should be done. I have double-checked the paths
> > to the cert files, and they are all PEM encoded. I also know the
> > files are valid because Apache is using them for server authentication
> > to the client.
> > Here are what I believe to be the applicable lines from my
> > /etc/ldap/slapd.conf
> > database ldap
> > suffix "ou=people,dc=dir,dc=svc,dc=DOMAIN,dc=com"
> > uri "ldaps://AD_SERVER.DOMAIN.com:636"
> > ~~root/.ldaprc
> > TLS_CACERT /opt/cert/SSLchain.pem
> > TLS_CERT /opt/cert/host.domain.com.crt
> > TLS_KEY /opt/cert/host.domain.com.key
> > TLS_REQCERT demand
> > Not sure what I'm missing, but I'm new to OpenLDAP so it could be
> > something basic. (I have checked the man pages, other docs, and
> > searched the mailing lists.)
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support