[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: open LDAP + TLS/SSL bind Failed.


Did you provide FQDN e.g server1.example.com to the common name section ? while creating the certificate ?  

Hope the permission of the files are are also correct.


On Fri, Sep 16, 2011 at 9:57 AM, vijay s sheelavantar <s_vijay65@rediffmail.com> wrote:
I am trying to configure LDAP Client/server on 2 Fedora-10 linux machines.

I have installed and configured openldap-2.4.26 server on one machine and pam_ldap-186, nss_ldap-265 on the other machines.

I have created the TLS certificates using following command on the server.

openssl req -newkey rsa:1024 -x509 -nodes -out \ server.pem -keyout server.pem -days 3650

and I have created the client.pem by copying CERTIFICATE portion of the server.pem.

When my client try to connect to the server I get following errors.

TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
connection_read(12): TLS accept failure error=-1 id=1012, closing
connection_closing: readying conn=1012 sd=12 for close
connection_close: conn=1012 sd=12
daemon: removing 12
conn=1012 fd=12 closed (TLS negotiation failure)

My Configurations are as follows.


access to attrs=userPassword
by self write
by anonymous auth
by * none

access to *
by * read

#TLS Certificate section
TLSCACertificateFile /etc/openldap/cacerts/server.pem
TLSCertificateFile /etc/openldap/cacerts/server.pem
TLSCertificateKeyFile /etc/openldap/cacerts/server.pem
TLSVerifyClient allow

and client side ldap.conf 

base dc=samsung,dc=com
uri ldaps://
TLS_CACERT /etc/openldap/cacerts/client.pem
pam_password md5


passwd: files ldap
shadow: files ldap
group: files ldap

netgroup: files ldap
automount: files ldap

I am not getting why it is saying Unknown ca. even though the certificate is created on server machine itself.

Kindly help me to solve this problem.

Treat yourself at a restaurant, spa, resort and much more with Rediff Deal ho jaye!