[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: tls doesn't work



On Fri, 2003-04-04 at 12:29, Howard Chu wrote:
> You are setting the wrong ldap.conf. The file you quoted below is not
> processed by the OpenLDAP library, therefore your SSL settings are not being
> used, and the library does not know where your CA cert is. Put the settings
> in the correct file.

Well the correct file is under your default OpenLDAP instalation under
etc/openldap/ldap.conf
> > ------------------------
> > In ldap.conf, the TLS/SSL related part looks like this:
> > # Netscape SDK LDAPS
> > #ssl on
> >
> > # Netscape SDK SSL options
> > #sslpath /etc/ssl/certs/cert7.db
> >
> > # OpenLDAP SSL mechanism
> > # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
> > ssl start_tls
> > #ssl off
> >
> > # OpenLDAP SSL options
> > # Require and verify server certificate (yes/no)
> > # Default is "no"
> > #tls_checkpeer yes
> >
> > # CA certificates for server certificate verification
> > # At least one of these are required if tls_checkpeer is "yes"
> > tls_cacertfile /usr/local/ssl/ce3-CA/certs/cacert.pem
> > tls_cacertdir /usr/local/ssl/ce3-CA
> >
> > # SSL cipher suite
> > # See man ciphers for syntax
> > tls_ciphers TLSv1
> >
> > # Client certificate and key
> > # Use these, if your server requires client authentication.
> > #tls_cert
> > #tls_key
> >
> > ------------------------
> > Then I try to use ldapsearch with the -Z switch, and I get:
> > ldap_initialize( <DEFAULT> )
> > ldap_start_tls: Connect error (91)
> >         additional info: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> > ldap_bind: Can't contact LDAP server (81)
> >         additional info: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> >
> >
> > It works without the -Z switch.
> >
> > One thing I suspect is (from Admin Guide)
> > "The DN of a server certificate must use the CN attribute to name the
> > server, and the CN must carry the server's fully qualified
> > domain name "
> >
> > Can somebody give an example of a correct certificate parameters ?
> > I use OpenSSL to create them.
> >
> >
> > Regards
> > Kuba
> >
> >
> >
> >
> >
>