[Date Prev][Date Next] [Chronological] [Thread] [Top]

client error connecting using tls

To: <openldap-technical@openldap.org>
Subject: client error connecting using tls
From: Herb Lewis <hlewis@panasas.com>
Date: Fri, 11 Jul 2014 11:04:57 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0

I have a program that connects to a secure ldap server by calling thefollowingsequence of functions. (the ldap.conf has TLS_CACERT pointing to thecertificate

file and TLS_REQCERT demand set)

ldap_initialize
ldap_set_option  (to set various options such as LDAP_OPT_PROTOCOL_VERSION,
                           LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_RESTART,
                           LDAP_OPT_NETWORK_TIMEOUT)
ldap_start_tls_s
ldap_sasl_bind_s

This works correctly and I can do searches to this server.

Later I want to connect to a different secure server. I copy the newcertificate fileover the old file so ldap.conf remains the same except the URI entry isupdated tothe new server. I call ldap_unbind_ext_s on the current connection thentry to repeat

the above initialization sequence but it always fails.

If I restart the process I can connect to the second server first thenwhen Itry to connect to the first server that fails. I turned up debugging onthe server

and I see the error

Peer does not recognize and trust the CA that issued your certificate..

It seems like the client is remembering something and not allowing me tochangeto a different secure ldap server without killing the process andstarting over.

Is there something I am missing in cleaning up the first connection?

Follow-Ups:
- Re: client error connecting using tls
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Adding and attribute and editing a matchingRuleUse in the subschema
Next by Date: Re: client error connecting using tls
Index(es):
- Chronological
- Thread