[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: openldap 2.1.30 + gentoo +ssl [self signed problem again]

To: "Florin Angelescu" <fangelescu@caami-hziv.fgov.be>, "Dieter Kluenter" <dieter@dkluenter.de>
Subject: RE: openldap 2.1.30 + gentoo +ssl [self signed problem again]
From: "Tay, Gary" <Gary_Tay@platts.com>
Date: Thu, 25 Nov 2004 21:00:22 +0800
Cc: <OpenLDAP-software@OpenLDAP.org>
Content-class: urn:content-classes:message
Thread-index: AcTS6O3nhYgZzdDsSSiP99JJGic+TgABZwnF
Thread-topic: openldap 2.1.30 + gentoo +ssl [self signed problem again]

I noticed that you have a "simple_bind=64" directive in slapd.conf, but your "ldapsearch -Z" is using the default SASL bind?
 
Gary

	-----Original Message----- 
	From: owner-openldap-software@OpenLDAP.org on behalf of Florin Angelescu 
	Sent: Thu 11/25/2004 9:07 PM 
	To: Dieter Kluenter 
	Cc: OpenLDAP-software@OpenLDAP.org 
	Subject: Re: openldap 2.1.30 + gentoo +ssl [self signed problem again]
	
	

	On Thursday 25 November 2004 11:32, you wrote:
	> Hello,
	>
	> Florin Angelescu <fangelescu@caami-hziv.fgov.be> writes:
	> > On Thursday 25 November 2004 09:04, you wrote:
	> >> U must post your err msgs, debug output of slapd, ldap.conf and
	> >> slapd.conf B4 anyone could help u.
	>
	> [... 9
	>
	> >> I read the openldap software faq
	> >> and followed the instructions but it still got a self signed certificate
	> >> error
	> >> with ldapsearch ....
	> >> [ yes i read the faq, and yes i adde the TLS_CACERT !!! ]
	> >> Was there an issue whit that version ? Do i have to upgrade to 2.2   ?
	> >
	> > oh sure
	> > here are the logs
	> >
	> > http://student.vub.ac.be/~fangeles/ldap/filelist.log
	> > http://student.vub.ac.be/~fangeles/ldap/sldaperror.log
	> > http://student.vub.ac.be/~fangeles/ldap/ldapsearch.log
	> > http://student.vub.ac.be/~fangeles/ldap/ldap.conf
	> > http://student.vub.ac.be/~fangeles/ldap/slapd.conf
	>
	> These are the relevant log lines
	>
	> ,----[ slapd.log ]
	>
	> | tls_read: want=2, got=2
	> |   0000:  02 30                                              .0
	> | TLS trace: SSL3 alert read:fatal:unknown CA
	> | TLS trace: SSL_accept:failed in SSLv3 read client certificate A
	> | TLS: can't accept.
	> | TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
	> | s3_pkt.c:1052 connection_read(12): TLS accept error error=-1 id=0,
	> | closing
	> | connection_closing: readying conn=0 sd=12 for close
	> | connection_close: conn=0 sd=12
	>
	> `---
	>
	> You must have signed a cert with the wrong ca, check all your
	> certificats with
	>
	> openssl x509 -in certificate.pem -text
	>
	> in particular check the keyid, which must be identical in the key
	> chain.
	>
	> -Dieter
	
	well, i have only 1 CA .... (i used CA.sh -newcert)
	and the servercert is signed by my CA
	
	openssl x509 -in servercert.pem -text
	Certificate:
	    Data:
	        Version: 3 (0x2)
	        Serial Number: 1 (0x1)
	        Signature Algorithm: md5WithRSAEncryption
	        Issuer: C=BE, ST=BELGIUM, L=BRUSSELS, O=CAAMI_CA, OU=CCI,
	CN=CAAMI_CA/emailAddress=fangelescu@caami-hziv.fgov.be
	        Validity
	            Not Before: Nov 25 08:32:09 2004 GMT
	            Not After : Nov 25 08:32:09 2005 GMT
	        Subject: C=BE, ST=BELGIUM, L=BRUSSELS, O=CAAMI-HZIV, OU=CCI,
	CN=ldap.caami-hziv.fgov.be/emailAddress=ldapserver@caami-hziv.fgov.be
	        Subject Public Key Info:
	            Public Key Algorithm: rsaEncryption
	            RSA Public Key: (2048 bit)
	
	.
	.
	.

Prev by Date: Re: openldap 2.1.30 + gentoo +ssl [self signed problem again]
Next by Date: Re: Is the Redhat's openldap distribution broken?
Index(es):
- Chronological
- Thread