[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [EXTERNAL] Re: back-ldap and ldaps not working



Thanks Michael. The message is clear but the solution isn't. I think you missed the part about this exact same slapd node being a replication consumer replicating successfully using the exact same certificate/TLS setup.  Just for added validation the masters have been active for a couple years serving a very active test environment with ~100 test clients connecting via ldaps. Something appears to be hinky with the configuration processing or certificate validation processing in back-ldap.  My gut is that olcDBStartTLS isn't being converted/formatted correctly or isn't being parsed correctly and the option to set the path to the CA cert file is being ignored.

-Jon

> On Jul 8, 2017, at 6:39 AM, Michael Ströder <michael@stroeder.com> wrote:
> 
> Jon C Kidder wrote:
>> TLS trace: SSL_connect:SSLv3 read server hello A
>> TLS certificate verification: depth: 1, err: 19, subject: […]
>> TLS certificate verification: Error, self signed certificate in certificate chain
>> TLS trace: SSL3 alert write:fatal:unknown CA
> 
> I think this messages are pretty clear. Something's wrong on your back-ldap proxy with
> validating the target server's certificate.
> 
> It's a pretty good idea to verify first on the command-line:
> 
> openssl s_client -connect ldap.example.com:636 -CAfile /path/to/rootca.crt
> 
> LDAPTLS_CACERT=/path/to/rootca.crt ldapwhoami ldaps://ldap.example.com
> 
> Ciao, Michael.
>