[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problem with SSL/TLS

To: Quanah Gibson-Mount <quanah@zimbra.com>
Subject: RE: Problem with SSL/TLS
From: Lynn York <lynn.york@mavenwire.com>
Date: Tue, 13 Apr 2010 10:20:50 -0400
Cc: openldap-technical@openldap.org
In-reply-to: <2D999B361EA1EA9DF96BF9F3@[192.168.1.2]>
References: <6C447584419BFE4E83D46E88F8131486323996274C@EXCH07-05.apollogrp.edu> <4BC361AC.2070503@symas.com> <2309849818589532404@unknownmsgid> <F7CC0746AB754808C5F6A609@[192.168.1.2]> <45a67b90600323249d0770e1a7b1a505@mail.gmail.com> <2D999B361EA1EA9DF96BF9F3@[192.168.1.2]>
Thread-index: AcrajxywJpM2BDRMQoKWGT2HOApuEAAhVTfg

Wow.. I feel like a complete idiot... I got it working by changing to the
cert instead of the key.  Thanks very much to all who helped.

-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@zimbra.com]
Sent: Monday, April 12, 2010 6:26 PM
To: Lynn York
Cc: openldap-technical@openldap.org
Subject: RE: Problem with SSL/TLS

--On Monday, April 12, 2010 6:13 PM -0400 Lynn York
<lynn.york@mavenwire.com> wrote:

> Here is my /etc/openldap/ldap.conf:
>
> uri ldaps://localhost
> base cn=users,dc=testing,dc=com
> tls_cacert /etc/openldap/cacerts/ca.key
> tls_cacertdir /etc/openldap/cacerts
> tls_reqcert allow

You specify *one* of the two options (Either TLS_CACERT or TLS_CACERTDIR).

Not both.  If you are specifying the file, then it needs to be the cert,
not the key.

> TLS: could not load verify locations
> (file:`/etc/openldap/cacerts/ca.key',dir:`/etc/openldap/cacerts').

> However, the certs and key's to exist..
>
> ls -al /etc/openldap/cacerts/
> total 44
> drwxr-xr-x 3 ldap ldap 4096 Apr 12 13:48 .
> drwxr-xr-x 4 ldap ldap 4096 Apr 12 18:09 ..
> drwxr-xr-x 2 ldap ldap 4096 Apr 12 13:45 backup
> -rw-r--r-- 1 ldap ldap 1805 Apr 12 13:46 ca.cert
> -rw-r--r-- 1 ldap ldap 1679 Apr 12 13:46 ca.key

What about the permissions on /etc/openldap and /etc/openldap/cacerts?

I.e., if you su - ldap, can you actually read
/etc/openldap/cacerts/ca.cert?

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration
MavenWire - We DELIVER
http://www.mavenwire.com

This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient.  Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message.  Please contact the sender by reply e-mail and delete all copies of this message.

References:
- Re: Problem with SSL/TLS
  - From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
- Re: Problem with SSL/TLS
  - From: Howard Chu <hyc@symas.com>
- RE: Problem with SSL/TLS
  - From: Lynn York <lynn.york@mavenwire.com>
- RE: Problem with SSL/TLS
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- RE: Problem with SSL/TLS
  - From: Lynn York <lynn.york@mavenwire.com>
- RE: Problem with SSL/TLS
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: Overlay Chain Extended Passmod Problem
Next by Date: SASL EXTERNAL, sasldb2 and authz-regexp
Index(es):
- Chronological
- Thread