[Date Prev][Date Next] [Chronological] [Thread] [Top]

SSL/TLS Ughh



Hey All,

I’m using Openldap 2.1.4 on Redhat 7.3 w/ openssl-0.9.6b-28 (RPM). I compiled openldap –with-tls and its works fine without TLS/SSL.

 

However when I try:

ldapsearch  -LLL -b "dc=mydomain,dc=com" -Z -s sub -x -D "uid=lee,ou=users,dc=mydomain,dc=com" -W "(uid=lee)"

 

# I get the following errors:

#

# ldap_start_tls: Connect error (91)

#        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

# Enter LDAP Password:

# ldap_bind: Can't contact LDAP server (81)

#        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

#

#

 

Without the –Z switch above, the ldapsearch works fine. Likewise I can successfully telnet to localhost on port ldaps.

 

Based on the above errors, it seems like this is a certificate issue. I tried following the Openldap.org TLS/SSL FAQ for generating the certs and adding the necessary info to slapd.conf. That didn’t fix the problem. I then used the commands below to try again. Still no luck, same errors above.

 

Anyone have any ideas?

 

Here is how I made the certificates the second time around:

 

# From http://www.bolthole.com/solaris/LDAP.html

 

ln -s /usr/bin/openssl ./

ln -s /usr/share/ssl/misc/CA ./

./CA -newca 

./CA -newreq

./CA -signreq

openssl rsa -in newreq.pem -out ldapkey.pem

chmod 0600 ldapkey.pem

mv newcert.pem ldapcert.pem

emacs /export/openldap/etc/slapd.conf

 

#

# Added the following to slapd.conf

#

TLSCipherSuite HIGH:MEDIUM:+SSLv2

TLSCertificateFile /usr/local/etc/openldap/ldapcert.pem

TLSCertificateKeyFile /usr/local/etc/openldap/ldapkey.pem

TLSCACertificateFile /usr/local/etc/openldap/demoCA/cacert.pem

 

# Started slapd with the following command

/usr/local/libexec/slapd -h "ldap:/// ldaps:///"

 

 

Thanks,

Lee