[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap not finding internal CA?

To: Kurt Yoder <ktyopenldap@yoderhome.com>, Mathias Gug <mathiaz@ubuntu.com>
Subject: Re: ldap not finding internal CA?
From: gruntler-ldap@yahoo.com
Date: Tue, 23 Jun 2009 10:55:22 -0700 (PDT)
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1245779722; bh=cAsC5ohh4VvxJZiIye5GN7NUkOAkMEaekbdS2zpUEuM=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type; b=JOuji4TuoK4XAQzltKk4QSTuOHyAbK5sRHHAyPG65GHlQUtHbcMTRD0ABCnNIT4GrACLDpryeYp2PhpSJlvYZXDLEM0bdIPQd5h0Ns3IXBHye5hvF6EcL/HQMEPPs0wLhQ+SI7Pxq6IPErrMOpJDAAM7p6lfAASnKZBbnNZXbG4=
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type; b=taVYTX9UPH0EbrFGGP1vQfUTahw/5AoUhMDHLwooaJo5CmpgrdaRqKzA9IlIS72Uh7FyQ4qZ9wKUITQDjGyVf243rZLkIEcmpbosXYzUCvQIVgeNWYLxkoaWGqBrCLi+n0MSIl2fv9hzB/zkFESCcno0Wof9P6vUHCqb6DI1nmE=;

--- On Wed, 6/17/09, Mathias Gug <mathiaz@ubuntu.com> wrote:

> From: Mathias Gug <mathiaz@ubuntu.com>
> Subject: Re: ldap not finding internal CA?
> To: "Kurt Yoder" <ktyopenldap@yoderhome.com>
> Cc: openldap-technical@openldap.org
> Date: Wednesday, June 17, 2009, 9:13 PM
> 
> [...]
> 
>> My openldap is version 2.4.15 on Ubuntu Jaunty. Interestingly, I
>> had the same message about self-signed certificates on previous
>> Ubuntu versions, but querying ldap with "TLS_REQCERT demand" works
>> fine.
>
> As Howard mentioned this should have been fixed in 2.4.16.  However
> could you try to put both the CA certificate *and* the server
> certificate in the cert.file used by the slapd server - (that way
> the whole CA chain is sent to the client by gnutls) ?

Hi Mathias,

How exactly does one do that?  I've tried simply appending the contents of the CA file to the server certificate file and restarting slapd and it has no effect.  

I've tried other various combinations as well but testing against Jaunty still fails while Intrepid works.

Meanwhile I built OpenLDAP 2.4.16 on Jaunty with no Ubuntu patches added to OpenLDAP and it works:

gruntler@jaunty-64:~/src/openldap-2.4.16/clients/tools$ ./ldapsearch -x -V
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.16 (Jun 22 2009 17:04:33) $
        gruntler@jaunty-64:/home/gruntler/src/openldap-2.4.16/clients/tools
        (LDAP library: OpenLDAP 20416)
# extended LDIF
#
# LDAPv3
# base <dc=abcd, dc=efgh, dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
... snip ...

ldap.conf settings:

BASE    dc=abcd, dc=efgh, dc=com
URI     ldaps://auth01-test ldaps://auth02-test

TLS_CACERT      /etc/ssl/cacerts/my-org.cert.pem
TLS_REQCERT     demand

TIMEOUT         4
NETWORK_TIMEOUT 2

-----

Meanwhile...

gruntler@jaunty-64:~/src/openldap-2.4.16/clients/tools$ /usr/bin/ldapsearch -x -V
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.15 (Mar 19 2009 10:07:04) $
        buildd@yellow:/build/buildd/openldap-2.4.15/debian/build/clients/tools
        (LDAP library: OpenLDAP 20415)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Prev by Date: RHEL 5 rpms
Next by Date: getnetbyaddr not working with LDAP
Index(es):
- Chronological
- Thread