[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with SSL/TLS



Chris Jacobs wrote:
/etc/ldap.conf is used by nss tools and the ilk.

/etc/openldap/ldap.conf would be used by openldap tools - like ldapsearch.

Actually it's used by libldap, which means everything that uses libldap (including nss_ldap). But of course the converse is not true, /etc/ldap.conf only affects nss_ldap and pam_ldap, not anything else.

I have the same setting there for tls_checkpeer - but in the latter ldap.conf
(under openldap).

tls_checkpeer is not a valid OpenLDAP ldap.conf keyword.

FWIW: there's apparently no real different format for the two files; while one
would only be setup on ldap servers, mine are identical and things work with a

If they are identical and things work, it's by sheer luck. Read the ldap.conf(5) manpage. Relying on anything not documented there would be a mistake.

To the original poster: use the ldapsearch debug flag. OpenSSL s_client is not a reliable indicator of anything.

mirror master, both setup behind a VIP (fail over, not load balanced) and a
plethora of slaves in different subdomains.

- chris

PS: I'd forgotten to 'reply-to-all' earlier. :)

Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs@apollogrp.edu

------------------------------------------------------------------------------
*From*: Lynn York
*To*: Chris Jacobs
*Sent*: Mon Apr 12 10:29:19 2010
*Subject*: RE: Problem with SSL/TLS

Here is my /etc/ldap.conf:

#host 127.0.0.1

base cn=users,dc=testing,dc=com

uri ldap://localhost:636

binddn cn=manager,dc=testing,dc=com

bindpw password

scope sub

timelimit 120

bind_policy soft

bind_timelimit 120

idle_timelimit 3600

ssl on

tls_cacert /etc/openldap/cacerts/servercrt.pem

tls_cacertdir /etc/openldap/cacerts

tls_checkpeer no

nss_base_group cn=groups,dc=testing,dc=com?sub

pam_password md5

I have tried it with and without “tls_checkpeer”…. I am sort of at a loss as
to what it can be. I also tested it using openssl client.. and here is the output:

*From*: openldap-technical-bounces+chris.jacobs=apollogrp.edu
<http://apollogrp.edu>@OpenLDAP.org
*To*: openldap-technical@openldap.org <mailto:openldap-technical@openldap.org>
*Sent*: Mon Apr 12 08:13:39 2010
*Subject*: Problem with SSL/TLS

I have created a cert. on the server and openldap starts without any issues,
however when I attempt to connect via ldaps I keep getting the following error:

??

??

ldapsearch -x -H ldaps://localhost:636 -D "cn=Manager,dc=testing,dc=com" -W -b
"dc=testing,dc=com" "(objectClass=top)"

Enter LDAP Password:

ldap_bind: Can't contact LDAP server (-1)

?????????????? additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

??

I can???t quite pin point what the problem might be.??


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/