[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldap] OpenLDAP TLS problem

To: Lukas Meyer <lukas@msys.ch>
Subject: Re: [ldap] OpenLDAP TLS problem
From: charlie derr <cderr@simons-rock.edu>
Date: Mon, 23 Feb 2004 08:27:22 -0500
Cc: ldap@umich.edu, openldap-software@OpenLDAP.org
In-reply-to: <LYRIS-446031-611207-2004.02.23-04.38.57--cderr#simons-rock.edu@listserver.itd.umich.edu>
References: <LYRIS-446031-611207-2004.02.23-04.38.57--cderr#simons-rock.edu@listserver.itd.umich.edu>
User-agent: Mozilla Thunderbird 0.5a (20040105)

Just for yucks, modify your /etc/ldap.conf (on the client machine) by
adding the following line:

TLS_REQCERT never

and see if you can get it to succeed that way. (this should disable the
checking for a valid CA cert). If that works then that'll verify that
you're on the right track.  My guess is that you just haven't properly
configured the client to use the correct CA cert (though I have no
specific advice on how to go about that -- it looks to me like
TLS_CACERT is the right entity -- did you try specifying that in
/etc/ldap.conf or somewhere else?)  Also, if you need to post again,
please supply the version of OpenLDAP that you're attempting this with.


	good luck,
		~c

Lukas Meyer wrote:

Hi list
I'm trying to set up an OpenLDAP server with TLS support. I created the needen certificates and added the essential lines to slapd.conf as described in several howtos. But I get whatever I try the same error:

TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca /usr/src/lib/libssl/ssl/../src/ssl/s3_pkt.c:1052 connection_read(9): TLS accept error error=-1 id=7, closing connection_closing: readying conn=7 sd=9 for close connection_close: conn=7 sd=9 daemon: removing 9 daemon: select: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: select: listen=8 active_threads=0 tvp=NULL

As explained in several mailinglist posts everything should work after declaring the correct certificate through the TLS_CACERT variable. I also created an .ldaprc file which contains this variable. But the error occurs still.
What else can I do to solve this problem? I very welcome any suggestions!
Best regards
Lukas
--- You are currently subscribed to ldap@umich.edu as: [cderr@simons-rock.edu] To unsubscribe send email to ldap-request@umich.edu with the word UNSUBSCRIBE as the SUBJECT of the message.

--
That's one of the cool things about being a Catholic ... it's a
multifaceted experience.  If you lose the faith, chances are you'll
keep the guilt, so it isn't as if you've been skunked altogether.
 -Stephanie Plum

Prev by Date: Re: BDB questions
Next by Date: Can i have ldap client in windows which can connect to server with tls ??
Index(es):
- Chronological
- Thread