[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enabling TLS problem on openldap2-2.3.39

Philip Guenther wrote:
> On Wed, 21 Nov 2007, Keagle, Chuck wrote:
>> I have yet to even change the error messages when trying:
>> # ldapsearch -x -Z -H ldap://testsvr.blv.boeing.com -b "" -s base
>> 'objectclass=*' '+' '*'
>> ldap_start_tls: Connect error (-11)
>>        additional info: error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Looks to me like slapd is sending its cert, but either
> 1) it doesn't match the hostname in the URI (testsvr.blv.boeing.com), or
> 2) none of the CAs 'above' it are in the set of CAs trusted to ldapsearch.
> So, what's the output of
>      openssl x509 -text -noout -in /path/to/servers/cert/here.pem

I'd recommend to also configure LDAPS on separate port 636 by starting with

slapd -H "ldap://... ldaps://..."

and then use command
openssl s_client with either command-line option -CApath or -CAfile
to check whether everything is in place at the SSL/TLS level. openssl
s_client gives you nice debug log right to the console. If everything's
working then startTLS ext. op. should also work.

Ciao, Michael.

Michael Ströder
E-Mail: michael@stroeder.com