Hey All, I’m using Openldap 2.1.4 on Redhat 7.3 w/ openssl-0.9.6b-28 (RPM). I compiled openldap –with-tls and its
works fine without TLS/SSL. However when I try: ldapsearch -LLL -b
"dc=mydomain,dc=com" -Z -s sub -x -D "uid=lee,ou=users,dc=mydomain,dc=com" -W "(uid=lee)" # I get the following errors: # # ldap_start_tls: Connect error (91) # additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed # Enter LDAP Password: # ldap_bind: Can't contact LDAP server (81) # additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed # # Without the –Z switch above, the ldapsearch works fine. Likewise I can successfully
telnet to localhost on port ldaps.
Based on the above errors, it seems like this is a certificate issue. I
tried following the Openldap.org TLS/SSL FAQ for generating the certs and adding the necessary info to slapd.conf.
That didn’t fix the problem. I then used the commands below to try again.
Still no luck, same errors above. Anyone have any ideas? Here is how I made the certificates the second time around: # From
http://www.bolthole.com/solaris/LDAP.html ln
-s /usr/bin/openssl ./ ln
-s /usr/share/ssl/misc/CA ./ ./CA -newca ./CA -newreq
./CA -signreq openssl
rsa -in newreq.pem -out ldapkey.pem chmod
0600 ldapkey.pem mv
newcert.pem ldapcert.pem emacs
/export/openldap/etc/slapd.conf # # Added the following to slapd.conf # TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /usr/local/etc/openldap/ldapcert.pem TLSCertificateKeyFile /usr/local/etc/openldap/ldapkey.pem TLSCACertificateFile /usr/local/etc/openldap/demoCA/cacert.pem # Started slapd with
the following command /usr/local/libexec/slapd -h "ldap:/// ldaps:///" Thanks, Lee |