[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS config question




Did you specify your cert CA in your ldap.conf on the client? 2.1 is finicky { I love that word :) } about that.


eg.
TLS_CACERT /ssl/slapdca.crt

You don't need to break up the PEM file ( I think ), but you do need have have the CA cert on the client side, so that the client can test the validity of the cert.


--Kervin

Mark Johnson wrote:
I've installed cyrus-sasl-2.1.2 and openldap-2.0.23, set up a simple
slapd.conf and test database.

When I run slapd with defaults,
$ ldapsearch -x -H "ldap://localhost:389"; -b "cn=Manager,dc=mydomain,dc=com"
produces the expected result.

Now I add these two lines to slapd.conf:
TLSCertificateFile /usr/local/etc/httpd/ssl.crt/snakeoil-rsa.crt
TLSCertificateKeyFile /usr/local/etc/httpd/ssl.key/snakeoil-rsa.key
and run:
# /usr/local/libexec/slapd -h ldaps://localhost:636

But:
$ ldapsearch -x -H "ldaps://localhost:636" -b "cn=Manager,dc=mydomain,dc=com"
ldap_bind: Can't contact LDAP server

The log shows this:
Jun 10 19:16:41 hotdog slapd[16217]: slapd starting Jun 10 19:17:05 hotdog slapd[16219]: daemon: conn=0 fd=9 connection from IP=127.0.0.1:33538 (IP=127.0.0.1:31746) accepted. Jun 10 19:17:05 hotdog slapd[16219]: conn=-1 fd=9 closed


What does it mean?

TIA,