[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problem with SSL/TLS

Wow.. I feel like a complete idiot... I got it working by changing to the
cert instead of the key.  Thanks very much to all who helped.

-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@zimbra.com]
Sent: Monday, April 12, 2010 6:26 PM
To: Lynn York
Cc: openldap-technical@openldap.org
Subject: RE: Problem with SSL/TLS

--On Monday, April 12, 2010 6:13 PM -0400 Lynn York
<lynn.york@mavenwire.com> wrote:

> Here is my /etc/openldap/ldap.conf:
> uri ldaps://localhost
> base cn=users,dc=testing,dc=com
> tls_cacert /etc/openldap/cacerts/ca.key
> tls_cacertdir /etc/openldap/cacerts
> tls_reqcert allow

You specify *one* of the two options (Either TLS_CACERT or TLS_CACERTDIR).

Not both.  If you are specifying the file, then it needs to be the cert,
not the key.

> TLS: could not load verify locations
> (file:`/etc/openldap/cacerts/ca.key',dir:`/etc/openldap/cacerts').

> However, the certs and key's to exist..
> ls -al /etc/openldap/cacerts/
> total 44
> drwxr-xr-x 3 ldap ldap 4096 Apr 12 13:48 .
> drwxr-xr-x 4 ldap ldap 4096 Apr 12 18:09 ..
> drwxr-xr-x 2 ldap ldap 4096 Apr 12 13:45 backup
> -rw-r--r-- 1 ldap ldap 1805 Apr 12 13:46 ca.cert
> -rw-r--r-- 1 ldap ldap 1679 Apr 12 13:46 ca.key

What about the permissions on /etc/openldap and /etc/openldap/cacerts?

I.e., if you su - ldap, can you actually read



Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration
MavenWire - We DELIVER

This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient.  Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message.  Please contact the sender by reply e-mail and delete all copies of this message.