[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SSL3 alert write:fatal:unknown CA
Hi Kent,
I looked in your excellent Document OpenLDAP_TLS_howto, also because Quanah
Gibson-Mount mentioned it.
In Chapter 7 Using TLS you give the following example:
ldapsearch -x -b 'dc=myserver,dc=com' -D "cn=Manager,dc=myserver,dc=com"
'(objectclass=*)' -H ldaps://myserver.com -W -ZZ
I thought TLS was working on port 389 and only SSL was using ldaps://
If that's true the command would be:
ldapsearch -x -b 'dc=myserver,dc=com' -D "cn=Manager,dc=myserver,dc=com"
'(objectclass=*)' -h myserver.com -W -ZZ
Pierre
Am Donnerstag, 26. Juni 2003 19:28 schrieben Sie:
> Pierre,
>
> You might also want to add '-x' for simple authentication as well as -D
> "something" -W if needed to the ldapsearch command.
>
> This one: ldapsearch -H ldaps://sun.stars.priv -b "dc=stars,dc=priv" -d7
> uses SASL and whatever mechanism the server decides is best. Hence the
> ldap_sasl_interactive_bind_s error.
>
> If your certificates are configured correctly and can be verified, it might
> just work.
>
> Cheers,
> Kent Soper
>
> "You don't stop playing because you grow old ...
> you grow old because you stop playing."
>
> Linux Technology Center, Linux Security
> Phone: 1-512-838-9216
> e-mail: dksoper@us.ibm.com
>
>
>
>
>
> Pierre Burri
> <pierre@globeall.de> To: OpenLDAP
> <openldap-software@OpenLDAP.org> Sent by: cc:
> owner-openldap-software@O Subject: Re: SSL3
> alert write:fatal:unknown CA penLDAP.org
>
>
> 06/26/2003 10:50 AM
>
>
>
>
>
>
> Hi
> thank you for your suggestion. I looked for a while on openldap.org and
> didn't
> find the article you are mentioning. But, I found the article "How to use I
>
> use TLS/SSL?" in the Faq-O-Matic which gave me some answers.
> I'm just testing OpenLDAP to get the know how and that's why I'm not going
> to
> buy a "real" certificate.
> Nevertheless, I'm still curious about de document you are talking about...
> Cheers, Pierre
>
> Am Mittwoch, 25. Juni 2003 23:50 schrieb Quanah Gibson-Mount:
> > Hello,
> >
> > I suggest reading the OpenLDAP FAQ. It has a nice long detailed
> > explanation of why you probably don't want to use self-signed certs, or
>
> if
>
> > you do, you need to have a CA cert you can point both the server &
>
> clients
>
> > at.
> >
> > --Quanah
> >
> > --On Wednesday, June 25, 2003 11:16 PM +0200 Pierre Burri
> >
> > <pierre@globeall.de> wrote:
> > > Hi,
> > >
> > > I'm trying to setup a LDAP server over SSL (it works already very well
> > > without SSL)
> > >
> > > I'm using Debian Sid, package slapd, version 2.1.17-3, LDAPv3
> > >
> > > I made a certificate, the common name is the FQDN of the host:
> > > sun.stars.priv the comand:
> > >
> > > ldapsearch -H ldaps://sun.stars.priv -b "dc=stars,dc=priv" -d7
> > >
> > > gives me the followin result:
> > >
> > > TLS certificate verification: depth: 0, err: 18, subject:
>
> /C=DE/ST=Berlin/L=Berlin/O=linux-age/OU=LDAP-Server/CN=sun.stars.priv/Ema
>
> > > il=certificate@sun.stars.priv, issuer:
>
> /C=DE/ST=Berlin/L=Berlin/O=linux-age/OU=LDAP-Server/CN=sun.stars.priv/Ema
>
> > > il=certificate@sun.stars.priv TLS certificate verification: Error, self
> > > signed certificate
> > > tls_write: want=7, written=7
> > > 0000: 15 03 01 00 02 02 30 ......0
> > > TLS trace: SSL3 alert write:fatal:unknown CA
> > > TLS trace: SSL_connect:error in SSLv3 read server certificate B
> > > TLS trace: SSL_connect:error in SSLv3 read server certificate B
> > > TLS: can't connect.
> > > ldap_perror
> > > ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
> > > additional info: error:14090086:SSL
> > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> > >
> > > What can I do that clients from other hosts than "sun" recognize my
>
> self
>
> > > made certificate?
> > >
> > > On the the server "sun", I put TLS_CACERT /etc/ldap/server.pem in file
> > > /etc/ldap/ldap.conf which remove the problem, but of course only on the
> > > server.
> >
> > --
> > Quanah Gibson-Mount
> > Senior Systems Administrator
> > ITSS/TSS/Computing Systems
> > Stanford University
> > GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
--
My Sites:
http://www.linux-age.com
http://www.myfirewall.de
http://www.globeall.de
Tel. +49 (0)30 757 02 517
Fax: +49 (0)30 757 02 518