[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP + TLS






 My server and client are in the one computer.

 I put in mu config server (slapd.conf):
------------------- slapd.conf ---------------------
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA:+TLSv1
TLSCACertificateFile /usr/local/openldap-data/cacert.pem
TLSCertificateFile /usr/local/openldap-data/servercrt.pem
TLSCertificateKeyFile /usr/local/openldap-data/serverkey.pem
TLSVerifyClient demand
TLSCACertificatePath /usr/local/openldap-data/
--------------------------------------------------


 In my client:
-------------- ldap.conf ----------------------------
TLS_CACERT /etc/ldap/cacert.pem
TLS_CACERTDIR /etc/ldap/
TLS_CERT /usr/local/openldap-data/servercrt.pem
TLS_KEY /usr/local/openldap-data/serverkey.pem
TLS_REQCERT demand
------------------------------------------------------






On Mon, 24 Jan 2005, "Florian Preuß" wrote:

> >  
> >  
> >  
> >  I am trying to put LDAP with TLS, but I have a problem: 
> > ---------------------- Debug slapd ------------------------ 
> > tls_read: want=2, got=2 
> >   0000:  02 30                                              .0 
> > TLS trace: SSL3 alert read:fatal:unknown CA 
> > TLS trace: SSL_accept:failed in SSLv3 read client certificate A 
> > TLS: can't accept. 
> > TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca  
> > s3_pkt.c:1052 
> > connection_read(10): TLS accept error error=-1 id=1, closing 
> > connection_closing: readying conn=1 sd=10 for close 
> > connection_close: conn=1 sd=10 
> > daemon: removing 10 
> > ----------------------------------------------------------------- 
> >  
> >  
> >  
> >  I am using ldap client. 
> >  I already read a lot of home pages in the Internet, but I don't find 
> the  
> > solution. 
> >  
> >  In my client ldap: 
> > -------- LDAP client --------------------------------------- 
> > ldapsearch -x -b 'dc=br' -D "cn=root,dc=com" '(objectclass=*)' -h 
> > localhost -W -f /etc/ldap/ldap.conf -Z 
> > ldap_start_tls: Connect error (91) 
> >         additional info: error:14090086:SSL  
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 
> > Enter LDAP Password: 
> > ldap_bind: Can't contact LDAP server (81) 
> >         additional info: error:14090086:SSL  
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 
> > ---------------------------------------------------------------- 
> >  
> >  
> >  Does someone know like help me? 
> >  
> >  
> Create a CA and sign your certificate with it. Put the public CA 
> certificate on the client and configure ldap.conf where to find it. 
>  
> Florian 
> end 
> 
>