[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS/SSL problems, server side certificate not recognized
Hi,
Send your config files to the list. Make sure you are starting slapd on
the correct port (ldap: and/or ldaps:) to serve both "ssl start_tls" and
"ssl on". Which to use is found in your /etc/ldap.conf file. Mine says:
ssl start_tls
tls_cacertfile /usr/local/etc/cacert.pem
tls_ciphers HIGH
My /usr/local/etc/openldap/ldap.conf contains:
TLS_REQCERT never
TLS_CACERT /usr/local/etc/cacert.pem
Note the specification of the location of the (self-signed) ca cert.
Starting slapd as follows:
/usr/local/libexec/slapd -h 'ldap:/// ldaps:///'
Note I am starting the daemon on both port 389 and port 636, I prefer
start_tls, but our email clients do not support this protocol.
As a first step, you should probably get ldap working without encryption,
that way you can point to encryption as the source of your "stupidity" :-)
Regards,
Chuck
At 03:54 AM 3/7/2005, Omar Al-Tabari wrote:
I'm totally ignorant regarding ldap but I must configure it to use it in
my company, I need to enable SSL/TLS for its use, either TLS over port 389
or SSL over port 636, but I can't seem to make it work.
I've created a self signed certificate, as instructed in many FAQ and
HOW-TO articles, but it doesn't seem to work, I also created a CA and
separated the certificate from the private key and added it to the server
but still no success.
i need help, it looks like I'm a total idiot that's why it doesn't work,
you cant help me with my stupidity but I hope you could help me to get SSL
or TLS working.
Also what needs to be done on the client side, do I copy the created
certificates or do I copy nothing?
I'm using:
Fedora Core 2
Openldap 2.2.13
Chuck Theobald
System Administrator
The Robert and Beverly Lewis Center for Neuroimaging
University of Oregon
P: 541-346-0343
F: 541-346-0345