[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: unknown CA



> -----Original Message-----
> From: thierryW [mailto:thierryw@libertysurf.fr]
 
> ThierryW wrote :
> I was having the same error (unknown CA), like you write i put
> TLS_CACERT /usr/local/openldap/etc/certs/CA_pubkey.pem) in ldap.conf but 
> now i get a new error :
> connection_read(14): unable to get TLS client DN error=49 id=6
> then it bind anonymous..?
> thierryW

I have no idea what the context is for your question.

The "unable to get TLS client DN" message is informational, it is
not a critical error by itself. It usually means the client didn't
provide a certificate, which is fine if you aren't trying to use
SASL EXTERNAL authentication. If you were trying to use EXTERNAL,
in this case, then you will have a fatal error. (Probably the error
message should only be displayed if the server is configured with
TLSVerifyClient enabled...)
> 
> Howard Chu wrote:
> > I have just this afternoon committed the support for the TLSCACertPath.
> > If you pull the latest version of libldap/tls.c from CVS you'll get it.
> > (But in general, you are of course welcome to fix/write 
> anything you wish.)
> > 
> > As for the unknown CA problem, you need to configure your LDAP 
> clients to
> > use the certs as well. It looks like you have only configured 
> slapd so far.
> > 
> > You probably need to add this
> > 	TLS_CACERT /usr/local/openldap/etc/certs/CA_pubkey.pem)
> > to your /usr/local/openldap/etc/ldap.conf file.
> > 
> >   -- Howard Chu
> >   Chief Architect, Symas Corp.       Director, Highland Sun
> >   http://www.symas.com               http://highlandsun.com/hyc
> >   Symas: Premier OpenSource Development and Support 
> > 
> > 
> >>-----Original Message-----
> >>From: Tarassov Vadim [mailto:Vadim.Tarassov@winterthur.ch]
> >>Sent: Friday, June 14, 2002 4:31 AM
> >>To: 'Howard Chu'; Tarassov Vadim; OpenLDAP-software@OpenLDAP.org
> >>Subject: AW: unknown CA
> >>
> >>
> >>Hallo Howard,
> >>
> >>Do you mind if I will fix it? And look, I believe there is 
> >>something wrong with
> >>
> >>openldap 2.1.2, openssl 1.9.6d 
> >>
> >>if build together on solaris 2.6 with forte 6 update 1. I was 
> >>struggling few hours with those fancy error messages I've 
> >>described before, but could not find anything besides of the fact 
> >>that s_client and s_server do work well with the same 
> >>certificates. Thus, I will have to investigate this problem. I 
> >>will inform you regardless to if I will have success or not.
> >>
> >>Cheers, Vadim Tarassov.
> > 
> > 
> > 
> 
>