[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch and TLS



Chris Majewski wrote:
Have you properly configured slapd.conf, ldap.conf, ldaprc?

Well, that's really the question isn't it...


Have you created a valid certificate chain?

I believe so, since at least once client (Mozilla's address book) is
able to negotiate an ssl connection with my server.



Did you read this site
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html

Yes. Well, I have now. So here's the thing. This:

ldapsearch -x -b 'ou=People,o=cs.ubc.ca' -D "uid=majewski,ou=People,o=cs.ubc.ca" '(objectclass=*)' -H ldap://okocim -W

works!

But this:

ldapsearch -x -b 'ou=People,o=cs.ubc.ca' -D "uid=majewski,ou=People,o=cs.ubc.ca" '(objectclass=*)' -H ldaps://okocim -W

doesn't! What's up with that?

-chris

OK, the first is plain ldap, the second is ldap over SSL involving certificates. The CN of the certificate must match exactly the name of the machine referred to in the ldap search. Here you've specified


ldaps://okocim

My guess is that the CN in your certificate is not "okocim" . Try this ...

openssl s_client -connect okocim:636 -CAfile <path-to-CA-cert>


Dave -- Dave Lewney Principal Systems Programmer, IT Services University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273 271956