[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problem with SSL/TLS

Here is my /etc/openldap/ldap.conf:

uri ldaps://localhost
base cn=users,dc=testing,dc=com
tls_cacert /etc/openldap/cacerts/ca.key
tls_cacertdir /etc/openldap/cacerts
tls_reqcert allow

After adding the TLS options in there, I get the following:

ldapsearch -d1 -x -H ldaps://localhost:636/
ldap_new_connection 1 1 0
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS: could not load verify locations
ldap_bind: Can't contact LDAP server (-1)

However, the certs and key's to exist..

ls -al /etc/openldap/cacerts/
total 44
drwxr-xr-x 3 ldap ldap 4096 Apr 12 13:48 .
drwxr-xr-x 4 ldap ldap 4096 Apr 12 18:09 ..
drwxr-xr-x 2 ldap ldap 4096 Apr 12 13:45 backup
-rw-r--r-- 1 ldap ldap 1805 Apr 12 13:46 ca.cert
-rw-r--r-- 1 ldap ldap 1679 Apr 12 13:46 ca.key
-rw-r--r-- 1 ldap ldap   17 Apr 12 13:48 ca.srl
-rw-r--r-- 1 ldap ldap 1411 Apr 12 13:48 hltraindb01.crt
-rw-r--r-- 1 ldap ldap 1106 Apr 12 13:46 hltraindb01.csr
-rw-r--r-- 1 ldap ldap 1679 Apr 12 13:45 hltraindb01.key

-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@zimbra.com]
Sent: Monday, April 12, 2010 6:00 PM
To: Lynn York
Cc: openldap-technical@openldap.org
Subject: RE: Problem with SSL/TLS

--On Monday, April 12, 2010 2:20 PM -0400 Lynn York
<lynn.york@mavenwire.com> wrote:

> TLS certificate verification: depth: 0, err: 18, subject:
> /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire,
> m, issuer: /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire,
> TLS certificate verification: Error, self signed certificate
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B

The above error seems very clear to me.  The CA for the offered cert is
unknown.  Either your CA path for OpenLDAP is wrong in your OpenLDAP
ldap.conf file (which is set via the TLS_CACERT or TLS_CACERTDIR
variables), or you've pointed at the wrong one, etc.

As has been noted numerous times to you so far /etc/ldap.conf is not the
place you set these variables. You fail to show your /etc/ldap/ldap.conf
(assuming that's the location of it) settings.



Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration
MavenWire - We DELIVER

This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient.  Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message.  Please contact the sender by reply e-mail and delete all copies of this message.