[Date Prev][Date Next] [Chronological] [Thread] [Top]

tls doesn't work



Hi,

I thought this will be easy :-)
I wanted to use TLS, but without using SASL (at least for now).
I created certificates for the server, and added the following to
slapd.conf:
TLSCertificateFile      /etc/openldap/ldap_crt.pem
TLSCertificateKeyFile   /etc/openldap/ldap_key.pem
TLSCACertificateFile    /usr/local/ssl/ce3-CA/certs/cacert.pem
TLSCACertificatePath    /usr/local/ssl/ce3-CA
TLSVerifyClient         never

------------------------
In ldap.conf, the TLS/SSL related part looks like this:
# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl off

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile /usr/local/ssl/ce3-CA/certs/cacert.pem
tls_cacertdir /usr/local/ssl/ce3-CA

# SSL cipher suite
# See man ciphers for syntax
tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

------------------------
Then I try to use ldapsearch with the -Z switch, and I get:
ldap_initialize( <DEFAULT> )
ldap_start_tls: Connect error (91)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldap_bind: Can't contact LDAP server (81)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


It works without the -Z switch.

One thing I suspect is (from Admin Guide)
"The DN of a server certificate must use the CN attribute to name the
server, and the CN must carry the server's fully qualified domain name "

Can somebody give an example of a correct certificate parameters ?
I use OpenSSL to create them.


Regards
Kuba