[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS question

The client *is* configured - (ldap.conf):
TLS_CACERT       /usr/local/etc/openldapcacert/cacert.pem

The server is configured (slapd.conf):
TLSCipherSuite               HIGH:MEDIUM:+TLSv1:+SSLv2
TLSCACertificateFIle     /usr/local/etc/openldap/cacert/cacert.pem
TLSCertificateFIle           /usr/local/etc/openldap/server.cert
TLSCertificateKeyFIle   /usr/local/etc/openldap/server.key
TLSVerifyClient               never

Attached is the output of the server - indicating that the ca is still
"unknown "  I've tried every combination of client/server configurations I
can think of, and still get the same thing - I'm not sure what I'm missing
(See attached file: server.out)

             Howard Chu                                                    
             Sent by:                                                   To 
             owner-openldap-so         Dennis.Hoffman@seagate.com          
             ftware@OpenLDAP.o                                          cc 
             rg                        openldap-software@OpenLDAP.org      
             No Phone Info                                         Subject 
             Available                 Re: TLS question                    
             09/29/2006 08:24                                              

Dennis.Hoffman@seagate.com wrote:
> Hello:
>       I am trying to get TLS working on openldap-2.3.20.  when I initiate
> search, the debug info at the server indicates "unknown_ca".  According
> RFC 2246, this means that the "CA certificate could not be located or
> couldn't be matched with a known, trusted CA".  My question:  Isn't the
> slapd.conf "TLSCACertificateFile" directive what tells slapd which CA to
> trust?  If so, why isn't it working?

See the Admin Guide http://www.openldap.org/doc/admin23/tls.html

You need to configure the client.

   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   OpenLDAP Core Team            http://www.openldap.org/project/

Attachment: server.out
Description: Binary data