[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap+ssl+Active directory



The exact error when I do ldapsearch -Hldaps://ladpserver -x is:

ldap-bind: can't contact ldapserver(81)
  additional info: error 14090086 : SSL routines: 
SSL3_GET_SERVER_CERTIFICATE: cretificate certify failed.

When I do :
openssl s_cleint -connect ldapserver:636 -showcerts

CONNECTED(00000003)
depth=0 /CN=ldapserver
verify error:num27:certificate not trusted
verify return:1
depth=0 /CN_ldapserver
verify error: num=21:unable to verify the first cretificate
verify return :1



At 08:59 06/07/2004, Ainhoa Prat wrote:
>Hi,
>
>I'm using Yast to configure ldap, in the ldap client, I pick the option: 
>'ldap tls/ssl'. then /etc/ldap.conf has the next line:
>
># OpenLDAP SSL mechanism
># start_tls mechanism uses the normal LDAP port, LDAPS typically 636
>ssl     start_tls
>nss_base_passwd dc=monesa,dc=es
>nss_base_shadow dc=monesa,dc=es
>nss_base_group  dc=monesa,dc=es
>
>I think the configuration is OK, but I don't know how suse import the 
>w2k'certificate, or if I need to create a certificate to suse. I've 
>installed Microsoft Certification Authority, to enable ldap over ssl in 
>w2k. In suse I only set this option (ssl start tls), then I don't know if 
>I need to do nothing else.
>
>
>
>
>
>At 20:17 05/07/2004, Kurt D. Zeilenga wrote:
>>At 10:47 AM 7/5/2004, Andreas wrote:
>> >On Mon, Jul 05, 2004 at 10:34:32AM -0700, Kurt D. Zeilenga wrote:
>> >> At 01:09 AM 7/5/2004, Ainhoa Prat wrote:
>> >> >I'm having problems using ldap with ssl against windows 2000 AD. I 
>> have Suse 9 as ldap client and w2k as ldap server. I set use ssl in ldap.conf,
>> >>
>> >> Not sure what you mean by "set use ssl in ldap.conf"... but if you
>> >> mean you set 'use ssl' in ldap.conf, I note that OpenLDAP ldap.conf(5)
>> >> has no 'use ssl' directive.  You might be confusing directives for
>> >> some other ldap.conf file with OpenLDAP's ldap.conf(5).
>> >
>> >SuSE mixes nss_ldap and pam_ldap's ldap.conf (from PADL software) with
>> >openldap's ldap.conf.
>>
>>If so, that's ill-advised.
>>
>>Regardless, "use ssl" is not, as I said above, an OpenLDAP
>>ldap.conf(5) directive and hence will be ignored by OpenLDAP
>>command lines tools such as ldapsearch(1).
>>
>>Kurt