[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS question

To: Dennis.Hoffman@seagate.com
Subject: Re: TLS question
From: Howard Chu <hyc@symas.com>
Date: Mon, 02 Oct 2006 07:51:23 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <OFD49176AC.A88073CB-ON872571FB.00507765-872571FB.0051C53C@seagate.com>
References: <OFD49176AC.A88073CB-ON872571FB.00507765-872571FB.0051C53C@seagate.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060911 Netscape/7.2 (ax) Firefox/1.5 SeaMonkey/1.5a

Get a debug log on the client. Most likely you didn't set the ldap.conf file that the client is actually using.

Note that getting the debug log on the server is not all that useful here since it is *receiving* an "unknown CA" alert from the client; it is the client that's complaining, not the server.

Dennis.Hoffman@seagate.com wrote:

The client *is* configured - (ldap.conf):
....
TLS_CACERT       /usr/local/etc/openldapcacert/cacert.pem
TLS_REQCERT   never
...
The server is configured (slapd.conf):
...
TLSCipherSuite               HIGH:MEDIUM:+TLSv1:+SSLv2
TLSCACertificateFIle     /usr/local/etc/openldap/cacert/cacert.pem
TLSCertificateFIle           /usr/local/etc/openldap/server.cert
TLSCertificateKeyFIle   /usr/local/etc/openldap/server.key
TLSVerifyClient               never
.....
Attached is the output of the server - indicating that the ca is still
"unknown "  I've tried every combination of client/server configurations I
can think of, and still get the same thing - I'm not sure what I'm missing
here.
Thanks
Dennis
(See attached file: server.out)
Howard Chu <hyc@symas.com> Sent by: To owner-openldap-so Dennis.Hoffman@seagate.com ftware@OpenLDAP.o cc rg openldap-software@OpenLDAP.org No Phone Info Subject Available Re: TLS question 09/29/2006 08:24 PM
Dennis.Hoffman@seagate.com wrote:
Hello:
I am trying to get TLS working on openldap-2.3.20. when I initiate
a
search, the debug info at the server indicates "unknown_ca". According
to
RFC 2246, this means that the "CA certificate could not be located or
couldn't be matched with a known, trusted CA".  My question:  Isn't the
slapd.conf "TLSCACertificateFile" directive what tells slapd which CA to
trust?  If so, why isn't it working?
See the Admin Guide http://www.openldap.org/doc/admin23/tls.html
You need to configure the client.


--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

References:
- Re: TLS question
  - From: Dennis.Hoffman@seagate.com

Prev by Date: Re: TLS question
Next by Date: syncrepl question
Index(es):
- Chronological
- Thread