[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SSL/TLS Ughh



This FAQ http://www.openldap.org/faq/index.cgi?file=185 has just been updated
with an answer to your question.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Lee Hoffman

Hey All,
I'm using Openldap 2.1.4 on Redhat 7.3 w/ openssl-0.9.6b-28 (RPM). I compiled
openldap -with-tls and its works fine without TLS/SSL.

However when I try:
ldapsearch  -LLL -b "dc=mydomain,dc=com" -Z -s sub -x -D
"uid=lee,ou=users,dc=mydomain,dc=com" -W "(uid=lee)"

# I get the following errors:
#
# ldap_start_tls: Connect error (91)
#        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
# Enter LDAP Password:
# ldap_bind: Can't contact LDAP server (81)
#        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
#
#

Without the -Z switch above, the ldapsearch works fine. Likewise I can
successfully telnet to localhost on port ldaps.

Based on the above errors, it seems like this is a certificate issue. I tried
following the Openldap.org TLS/SSL FAQ for generating the certs and adding
the necessary info to slapd.conf. That didn't fix the problem. I then used
the commands below to try again. Still no luck, same errors above.

Anyone have any ideas?

Here is how I made the certificates the second time around:

# From http://www.bolthole.com/solaris/LDAP.html

ln -s /usr/bin/openssl ./
ln -s /usr/share/ssl/misc/CA ./
./CA -newca
./CA -newreq
./CA -signreq
openssl rsa -in newreq.pem -out ldapkey.pem
chmod 0600 ldapkey.pem
mv newcert.pem ldapcert.pem
emacs /export/openldap/etc/slapd.conf

#
# Added the following to slapd.conf
#
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/local/etc/openldap/ldapcert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/ldapkey.pem
TLSCACertificateFile /usr/local/etc/openldap/demoCA/cacert.pem

# Started slapd with the following command
/usr/local/libexec/slapd -h "ldap:/// ldaps:///"


Thanks,
Lee