[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SSL/TLS Ughh



Try the ldapsearch with debug messages enabled. Just add "-d -1" to the
command and see what is going on with the certificate verification. Also,
since you have configured OpenLDAP to use /export/openldap/etc, you should
have added the TLS_CACERT directive to /export/openldap/etc/ldap.conf. I
don't know what your /etc/ldap.conf is for.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: Lee Hoffman [mailto:lee_hoffman@brown.edu]
> Sent: Monday, August 26, 2002 1:03 PM
> To: 'Howard Chu'; openldap-software@OpenLDAP.org
> Subject: RE: SSL/TLS Ughh
>
>
> According to the updated section in the FAQ, all I need to do is add the
> following line to /etc/ldap.conf:
>
> TLS_CACERT /export/openldap/etc/demoCA/cacert.pem
>
> (slapd.conf's TLSCACertificateFile  directive points to the file
> /export/openldap/etc/demoCA/cacert.pem also)
>
> I did that, and then restart slapd, same error though.
>
> What am I doing wrong?
>
> Sincerely,
> Lee
>
>
>
>
> This FAQ http://www.openldap.org/faq/index.cgi?file=185 has just been
> updated
> with an answer to your question.
>
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
>
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Lee Hoffman
>
> Hey All,
> I'm using Openldap 2.1.4 on Redhat 7.3 w/ openssl-0.9.6b-28 (RPM). I
> compiled
> openldap -with-tls and its works fine without TLS/SSL.
>
> However when I try:
> ldapsearch  -LLL -b "dc=mydomain,dc=com" -Z -s sub -x -D
> "uid=lee,ou=users,dc=mydomain,dc=com" -W "(uid=lee)"
>
> # I get the following errors:
> #
> # ldap_start_tls: Connect error (91)
> #        additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> # Enter LDAP Password:
> # ldap_bind: Can't contact LDAP server (81)
> #        additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> #
> #
>
> Without the -Z switch above, the ldapsearch works fine. Likewise I can
> successfully telnet to localhost on port ldaps.
>
> Based on the above errors, it seems like this is a certificate issue. I
> tried
> following the Openldap.org TLS/SSL FAQ for generating the certs and
> adding
> the necessary info to slapd.conf. That didn't fix the problem. I then
> used
> the commands below to try again. Still no luck, same errors above.
>
> Anyone have any ideas?
>
> Here is how I made the certificates the second time around:
>
> # From http://www.bolthole.com/solaris/LDAP.html
>
> ln -s /usr/bin/openssl ./
> ln -s /usr/share/ssl/misc/CA ./
> ./CA -newca
> ./CA -newreq
> ./CA -signreq
> openssl rsa -in newreq.pem -out ldapkey.pem
> chmod 0600 ldapkey.pem
> mv newcert.pem ldapcert.pem
> emacs /export/openldap/etc/slapd.conf
>
> #
> # Added the following to slapd.conf
> #
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile /usr/local/etc/openldap/ldapcert.pem
> TLSCertificateKeyFile /usr/local/etc/openldap/ldapkey.pem
> TLSCACertificateFile /usr/local/etc/openldap/demoCA/cacert.pem
>
> # Started slapd with the following command
> /usr/local/libexec/slapd -h "ldap:/// ldaps:///"
>
>
> Thanks,
> Lee
>
>
>
>
>
>