[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap tls problem

To: Michael Fischer <michi.fischer@gmx.net>
Subject: Re: openldap tls problem
From: "Chris G. Sellers" <chris.sellers@nitle.org>
Date: Fri, 12 Sep 2008 11:03:00 -0400
Cc: openldap-software@openldap.org
In-reply-to: <1221218511.2280.22.camel@its-fischer>
References: <1221218511.2280.22.camel@its-fischer>

Make sure your client has the CA certificate. Check your /etc/ openldap/ldap.conf configuration.

man ldap.conf on an openldap system and check the TLS OPTIONS section and see if you have the settings required to name the certs. The error is on your client, not the server.

Sellers

On Sep 12, 2008, at 7:21 AM, Michael Fischer wrote:

hi,
i hope this is the right list for my problem, if not sorry in advance.
i want to configure slapd to use tls. i have a certifikate signed by
globalsign and the following lines in my slapd.conf:
<snip>
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/postfix/certs/ldap.pem
TLSCertificateKeyFile /etc/postfix/certs/ldap.key
TLSCACertificateFile /etc/postfix/certs/globalsign-domainssl.pem
</snip>
but when issuing a ldapsearch on another machine i still get an error: <snip> # ldapsearch -bdc=xxx,dc=at -Dcn=admin,dc=xxx,dc=at -hldap.xxx.at - p389 -x -W -ZZ -d5 objectClass=* ... TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root, issuer: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed </snip>
the same globalsign-certificates work well with my apache.
any hints?
lg, Michael Fischer
--
email: michi.fischer@gmx.net
web: http://www.webfischer.at


++++++++++++++++++++++++++++++++++++++
Chris G. Sellers	|  Internet Engineer      |   NITLE
734.661.2318	|  chris.sellers@nitle.org
Jabber: csellers@nitle.org  | AIM: imthewherd

References:
- openldap tls problem
  - From: Michael Fischer <michi.fischer@gmx.net>

Prev by Date: Two samba related openldap overlays
Next by Date: Re: openldap tls problem
Index(es):
- Chronological
- Thread