[Date Prev][Date Next]
Re: Problem with SSL/TLS
Chris Jacobs wrote:
/etc/ldap.conf is used by nss tools and the ilk.
/etc/openldap/ldap.conf would be used by openldap tools - like ldapsearch.
Actually it's used by libldap, which means everything that uses libldap
(including nss_ldap). But of course the converse is not true, /etc/ldap.conf
only affects nss_ldap and pam_ldap, not anything else.
I have the same setting there for tls_checkpeer - but in the latter ldap.conf
tls_checkpeer is not a valid OpenLDAP ldap.conf keyword.
FWIW: there's apparently no real different format for the two files; while one
would only be setup on ldap servers, mine are identical and things work with a
If they are identical and things work, it's by sheer luck. Read the
ldap.conf(5) manpage. Relying on anything not documented there would be a mistake.
To the original poster: use the ldapsearch debug flag. OpenSSL s_client is not
a reliable indicator of anything.
mirror master, both setup behind a VIP (fail over, not load balanced) and a
plethora of slaves in different subdomains.
PS: I'd forgotten to 'reply-to-all' earlier. :)
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
*From*: Lynn York
*To*: Chris Jacobs
*Sent*: Mon Apr 12 10:29:19 2010
*Subject*: RE: Problem with SSL/TLS
Here is my /etc/ldap.conf:
I have tried it with and without “tls_checkpeer”…. I am sort of at a loss as
to what it can be. I also tested it using openssl client.. and here is the output:
*To*: email@example.com <mailto:firstname.lastname@example.org>
*Sent*: Mon Apr 12 08:13:39 2010
*Subject*: Problem with SSL/TLS
I have created a cert. on the server and openldap starts without any issues,
however when I attempt to connect via ldaps I keep getting the following error:
ldapsearch -x -H ldaps://localhost:636 -D "cn=Manager,dc=testing,dc=com" -W -b
Enter LDAP Password:
ldap_bind: Can't contact LDAP server (-1)
?????????????? additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I can???t quite pin point what the problem might be.??
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/