[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_start_tls_s() usage related errors



dhiraj.prasad@tcs.com writes:

> Hello,
>
> I have configured LDAP server on linux with TLS support and was able to
> fetch data from it using the 'ldapsearch' utility.
> However, when i tried to do this searching via code i got following errors:
>
> Error at Server Side:
>
> slap_listener_activate(10):
>>>> slap_listener(ldaps://)
[...]
> TLS trace: SSL3 alert read:fatal:unknown CA
> TLS trace: SSL_accept:failed in SSLv3 read client certificate A
> TLS: can't accept.
> TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> s3_pkt.c:1053
[...]
> Error at Client side:
>
> [root@localhost LDAP1]# ./ldapSearch

> TLS certificate verification: Error, self signed certificate in certificate
> chain
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_err2string
[...]

> Failure of LDAP bind -1-Can't contact LDAP server
> [root@localhost LDAP1]#
[...]
> ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, "/root/cacert.pem");

The error is so obvious, I presume that slapd and users cannot read
the cacert.pem. Put the CA in a place which can be accessed by all
users.

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
53Â08'09,95"N
10Â08'02,42"E