[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL3 alert write:fatal:unknown CA






Pierre,

You might also want to add '-x' for simple authentication as well as -D
"something" -W if needed to the ldapsearch command.

This one:  ldapsearch -H ldaps://sun.stars.priv -b "dc=stars,dc=priv" -d7
uses SASL and whatever mechanism the server decides is best.  Hence the
ldap_sasl_interactive_bind_s error.

If your certificates are configured correctly and can be verified, it might
just work.

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
Phone:  1-512-838-9216
e-mail:  dksoper@us.ibm.com




                                                                                                                                     
                      Pierre Burri                                                                                                   
                      <pierre@globeall.de>             To:       OpenLDAP <openldap-software@OpenLDAP.org>                           
                      Sent by:                         cc:                                                                           
                      owner-openldap-software@O        Subject:  Re: SSL3 alert write:fatal:unknown CA                               
                      penLDAP.org                                                                                                    
                                                                                                                                     
                                                                                                                                     
                      06/26/2003 10:50 AM                                                                                            
                                                                                                                                     
                                                                                                                                     




Hi
thank you for your suggestion. I looked for a while on openldap.org and
didn't
find the article you are mentioning. But, I found the article "How to use I

use TLS/SSL?" in the Faq-O-Matic which gave me some answers.
I'm just testing OpenLDAP to get the know how and that's why I'm not going
to
buy a "real" certificate.
Nevertheless, I'm still curious about de document you are talking about...
Cheers, Pierre

Am Mittwoch, 25. Juni 2003 23:50 schrieb Quanah Gibson-Mount:
> Hello,
>
> I suggest reading the OpenLDAP FAQ.  It has a nice long detailed
> explanation of why you probably don't want to use self-signed certs, or
if
> you do, you need to have a CA cert you can point both the server &
clients
> at.
>
> --Quanah
>
> --On Wednesday, June 25, 2003 11:16 PM +0200 Pierre Burri
>
> <pierre@globeall.de> wrote:
> > Hi,
> >
> > I'm trying to setup a LDAP server over SSL (it works already very well
> > without  SSL)
> >
> > I'm using Debian Sid, package slapd, version 2.1.17-3, LDAPv3
> >
> > I made a certificate, the common name is the FQDN of the host:
> > sun.stars.priv the comand:
> >
> > ldapsearch -H ldaps://sun.stars.priv -b "dc=stars,dc=priv" -d7
> >
> > gives me the followin result:
> >
> > TLS certificate verification: depth: 0, err: 18, subject:
> >
/C=DE/ST=Berlin/L=Berlin/O=linux-age/OU=LDAP-Server/CN=sun.stars.priv/Ema
> > il=certificate@sun.stars.priv,  issuer:
> >
/C=DE/ST=Berlin/L=Berlin/O=linux-age/OU=LDAP-Server/CN=sun.stars.priv/Ema
> > il=certificate@sun.stars.priv TLS certificate verification: Error, self
> > signed certificate
> > tls_write: want=7, written=7
> >   0000:  15 03 01 00 02 02 30                               ......0
> > TLS trace: SSL3 alert write:fatal:unknown CA
> > TLS trace: SSL_connect:error in SSLv3 read server certificate B
> > TLS trace: SSL_connect:error in SSLv3 read server certificate B
> > TLS: can't connect.
> > ldap_perror
> > ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
> >         additional info: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> >
> > What can I do that clients from other hosts than "sun" recognize my
self
> > made  certificate?
> >
> > On the the server "sun", I put TLS_CACERT /etc/ldap/server.pem in file
> > /etc/ldap/ldap.conf which remove the problem, but of course only on the
> > server.
>
> --
> Quanah Gibson-Mount
> Senior Systems Administrator
> ITSS/TSS/Computing Systems
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html