On 7/28/2016 8:41 AM, Howard Chu wrote:
Nat Sincheler wrote:On 7/27/2016 11:19 PM, Ulrich Windl wrote:Nat Sincheler <fai1107@macrotex.net> schrieb am 26.07.2016 um 17:20 inNachricht <991f77f9-fd05-eb9b-7f07-f350c4a7bc68@macrotex.net>:On 7/25/2016 11:24 PM, Ulrich Windl wrote:Nat Sincheler <fai1107@macrotex.net> schrieb am 25.07.2016 um 19:06 inNachricht <c19c2a3a-3c90-5baa-43c7-800b050ea5b7@macrotex.net>:We have an OpenLDAP server that is listening on port 636 over ldaps. When I run openssl s_client -showcerts -connect ldap-server:636 I only see the host certificate. The intermediate and root certificates do *not* come through.If I di that on one of outr servers, I get: Root CA Intermediate CA Server Certificate ... New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bitFor this server I have in the file slapd.d/cn=config.ldif the setting olcTLSCACertificatePath: /etc/ssl/certsHi! Here it works with these settings: olcTLSCACertificatePath: /etc/ssl/certs olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key Could it be a permissions problem? Did you try to check the certificatechain with openssl (preferrable as LDAP user)? When I run the openssl s_client command I get no errors, but I also get no intermediate or root certificates sent. I see this in the output: "No client certificate CA names sent".Hi! To me it looks like a problem with your certificates. Try to verify them using openssl, like this: openssl verify -CApath /etc/ssl/certs -verbose /etc/ssl/servercerts/slapd.pem /etc/ssl/servercerts/slapd.pem: OK% grep -R Certificate *.ldif olcTLSCACertificatePath: /etc/ssl/certs olcTLSCertificateFile: /etc/ssl/certs/server.pem olcTLSCertificateKeyFile: /etc/ssl/private/server.key % directory2:/etc/ldap# openssl verify -CApath /etc/ssl/certs -verbose /etc/ssl/certs/server.pem /etc/ssl/certs/server.pem: OK So, the openssl command line can find the certificate chain. Why can't openldap?If your OpenLDAP build is not behaving the same as your OpenSSL build, then most likely your OpenLDAP was not built with OpenSSL. Otherwise, their behavior would match. You never provided essential information such as OS platform and OpenLDAP version, so nobody can give you definitive answers.
We are using version 2.4.42 of OpenLDAP compiled on Debian jessie which use GnuTLS rather than OpenSSL.