Re: TLS/SSL problems, server side certificate not recognized

[Chuck Theobald <chuckt@darkwing.uoregon.edu>]

Hi,

Send your config files to the list.  Make sure you are starting slapd on 
the correct port (ldap: and/or ldaps:) to serve both "ssl start_tls" and 
"ssl on".  Which to use is found in your /etc/ldap.conf file.  Mine says:

ssl start_tls
tls_cacertfile /usr/local/etc/cacert.pem
tls_ciphers HIGH

My /usr/local/etc/openldap/ldap.conf contains:

TLS_REQCERT never
TLS_CACERT /usr/local/etc/cacert.pem

Note the specification of the location of the (self-signed) ca cert.

Starting slapd as follows:

/usr/local/libexec/slapd -h 'ldap:/// ldaps:///'

Note I am starting the daemon on both port 389 and port 636, I prefer 
start_tls, but our email clients do not support this protocol.

As a first step, you should probably get ldap working without encryption, 
that way you can point to encryption as the source of your "stupidity"   :-)

Regards,
Chuck


At 03:54 AM 3/7/2005, Omar Al-Tabari wrote:
> I'm totally ignorant regarding ldap but I must configure it to use it in 
> my company, I need to enable SSL/TLS for its use, either TLS over port 389 
> or SSL over port 636, but I can't seem to make it work.
>
> I've created a self signed certificate, as instructed in many FAQ and 
> HOW-TO articles, but it doesn't seem to work, I also created a CA and 
> separated the certificate from the private key and added it to the server 
> but still no success.
>
> i need help, it looks like I'm a total idiot that's why it doesn't work, 
> you cant help me with my stupidity but I hope you could help me to get SSL 
> or TLS working.
>
> Also what needs to be done on the client side, do I copy the created 
> certificates or do I copy nothing?
>
> I'm using:
>
> Fedora Core 2
>
> Openldap 2.2.13

Chuck Theobald
System Administrator
The Robert and Beverly Lewis Center for Neuroimaging
University of Oregon
P: 541-346-0343
F: 541-346-0345