It seems like my ldapsearch can't find
the get local issuer certificate. what configuration files tells the ldapsearch
certificate to use?
Oh, my certificate and keys and cacert
files are good, I've tested them using the openssl s_server and s_client
to get a basic connection.
can someone help me, I don't know what
else could be the problem.
Vinh CTR Hoang/ACT/CNTR/FAA@FAA Sent by: openldap-technical-bounces+vinh.ctr.hoang=faa.gov@OpenLDAP.org
02/12/2008 05:27 PM
Hi, I'm having some troubles with openldap w/ TLS.
I can't seem to do a ldapsearch -x -LLL -ZZ, as it is giving be back
"SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
On the server side log I'm getting:
TLS trace: SSL3 alert read: fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
I've tried and tested my ssl connection using:
openssl s_client -connect ldap1.mylan:636 -showcerts -state -CAfile
and that works, althought if I use "TLSVerifyClient demand" in
slapd.conf, the server will reject the connection
saying that the client didn't send the certificate.
I also tried the client authentication ssl test and the works w/ and w/o
the TLSVerifyClient demand option:
openssl s_client -connect ldap1.mylan:636 -state \
-CAfile /usr/local/etc/openldap/cacert.pem \
-cert /usr/local/etc/openldap/slapd-cert-ldap1.pem \
Does any know what i'm doing wrong?
Here are the tls part of my configs:
#TLS SSL keys
# network or connect timeouts (see bind_timelimit).
# The distinguished name of the search base.
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/ ldaps://127.0.0.1/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
# The credentials to bind with.
# Optional: default is no credential.
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
# The port.
# Optional: default is 389.
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
# Seed the PRNG if /dev/urandom is not provided
# SSL cipher suite
# See man ciphers for syntax
# Client certificate and key
# Use these, if your server requires client authentication.