[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [seeking help] unknown CA
Thanks greatly for the advice. I would like to detail my problem.
I have the same php script that works on a linux machine (redhat 9). I
just installed rpms of openldap, openssl, php, apache and related, and the
script works perfectly.
However, I compiled an apache (both 1.3 and 2.0) on solaris 2.8, and the
script does not work. Neither does shell command ldapsearch work. (I use
openssl-0.9.7, php-4.3.3, openldap-2.1.22.)
In fact, on the linux machine, I didn't do anything like copying CA
certificates, at least knowingly. ldap.conf does not have TLS_CACERTDIR
but works fine. I checked the config files between the two machines, but
the configuration files seem to be the same.
When I "truss"ed ldapsearch on both machines, solaris failed while linux
worked. Also, solaris didn't call libldap or liblber while linux did.
Here're the commands and results.
================================
$ldapsearch -v -x -H 'ldaps://ldapshost.server.com/' -b
'uid=xxxxx, ou=People,dc=server,dc=com' -D
'uid=xxxxx, ou=People,dc=server,dc=com' -W
(solaris)
ldap_bind: Can't contact LDAP server (81)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
(linux)
filter: (objectclass=*)
requesting: ALL
version: 2
...
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Here're some of truss results from solaris.
===========================================
execve("/opt/openldap/bin/ldapsearch", 0xFFBEF98C, 0xFFBEF9B8) argc = 10
mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_ANON, - 1, 0) = 0xFF3A0000
resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16
stat("/opt/openldap/bin/ldapsearch", 0xFFBEF6C8) = 0
open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT
open("/lib/libssl.so.0.9.7", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libssl.so.0.9.7", O_RDONLY) Err#2 ENOENT
open("/usr/local/lib/libssl.so.0.9.7", O_RDONLY) = 3
fstat(3, 0xFFBEF05C) = 0
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0xFF390000
mmap(0x00000000, 278528, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0xFF340000
mmap(0xFF37E000, 17456, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED, 3, 188416) = 0xFF37E000
munmap(0xFF370000, 57344) = 0
memcntl(0xFF340000, 40020, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3) = 0
open("/lib/libcrypto.so.0.9.7", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libcrypto.so.0.9.7", O_RDONLY) Err#2 ENOENT
open("/usr/local/lib/libcrypto.so.0.9.7", O_RDONLY) = 3
2) The php script is here.
<?php
echo "<HTML><BODY>\n";
$server = "ldaps://operator.tamu.edu";
$linkid=ldap_connect($server);
if (!$linkid) {
exit;
}
#ldap_start_tls($linkid); // Tried but does not work.
$lb=ldap_bind($linkid);
...
My basic goal is to get apache (1.3 or 2.0) working on solaris 2.8 with
ldap, ssl and php support. I have this site:
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Apache-WebDAV-LDAP-HOWTO.html
but it seems to say I need iPlanet LDAP SDK to get ldaps on solaris.
Any help would be greatly appreciated.
Regards,
Ben
On Sun, 28 Sep 2003, Tony Earnshaw wrote:
> Ben Kim wrote:
>
> > I have a php script authenticating user against an ldap server (not under
> > my control) which I know has no problem.
> > But when I use it on my newly compiled server, it cannot bind with ldaps
> > protocol. Packet traces show the following exchange.
> > - client: Client Hello
> > - server: Server Hello, Certificate, Server Hello Done
> > - client: Alert (Level: Fatal, Description: Unknown CA)
>
> cced you, since this was a couple of days ago.
>
> *Assuming Linux, since you do not say*. If you have linked libphp4.so
> against Openldap client libldap and liblber, your libphp4.so will be
> using /usr/local/etc/ldap.conf or /etc/openldap/ldap.conf, depending on
> your distro. NB, NOT /etc/ldap.conf. You get the ldap server admin to
> send you a copy of the CA certificate he uses (have him gzip it, if he
> uses email) and you put it in a directory readable by your Apache user
> (nobody, apache, whatever) and you put the following line in ldap.conf:
>
> TLS_CACERTDIR /path/to/cacertdir. This is not literal! You have to
> substitute your own path. If you need more CA certs for different
> purposes, you can append them into the same cacert file in the cacertdir.
>
> > On google, it seems to be one of the standard error strings:
> > " "CA"/"unknown CA"
> > A valid certificate chain or partial chain was received, but
> > the certificate was not accepted because the CA certificate could not be
> > located or couldn't be matched with a known, trusted CA. This message
> > is always fatal."
>
> It is only "fatal" in the sense that it doesn't work at that moment. It
> will not be "fatal" if you do the above.
>
> Best,
>
> --Tonni
>
> --
> Tony Earnshaw
>
> Millom kaksar eg litet kann trivast, millom jamningar helst er eg nøgd
>
> http://www.billy.demon.nl
> Mail: tonni@billy.demon.nl
>
>