[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP as a ldap->ldaps proxy for apache to AD



Thanks, and sorry for the omission. I am running OpenLDAP 2.2.23.

Following your advice I tried adding the following lines to my slapd.conf

TLSCACertificateFile /opt/cert/SSLchain.pem
TLSCertificateFile /opt/cert/host.domain.com.crt
TLSCertificateKeyFile /opt/cert/host.domain.com.key

It didn't appear to make any difference, and I still get the "TLS 
certificate verification: Error, unable to get local issuer certificate" 
error message.

-Don

On 6/13/05, Howard Chu <hyc@symas.com> wrote:
> 
> You didn't mention the OpenLDAP version, which is probably significant
> here. In older versions of OpenLDAP a single TLS context was used for
> slapd. In newer versions, there are separate contexts for slapd as a
> server vs slapd as a client (e.g. back-ldap). Try adding the equivalent
> TLS settings to slapd.conf.
> 
> Don Wood wrote:
> > Hello,
> >
> > I am having trouble setting up OpenLDAP as a ldap->ldaps proxy for
> > apache to AD authentication. The proxy is running on debian sarge and
> > I am using the standard packages.
> >
> > I can see Apache connecting to OpenLDAP, and OpenLDAP connecting to
> > the AD server, but it appears that there are errors in the bind phase
> > for the SSL connection.
> >
> > When I run "slapd -d 16383" I get the below messages in the dump.
> >
> > TLS trace: SSL_connect:SSLv3 read server hello A
> > TLS certificate verification: depth: 2, err: 20, subject: /O=RSA
> > Security Inc./CN=RSA Public Root CA
> > v1/emailAddress=rsakeonrootsign@rsasecurity.com, issuer: /L=ValiCert
> > Validation Network/O=ValiCert, Inc./OU=ValiCert Class 3 Policy
> > Validation Authority/CN=
> http://www.valicert.com//emailAddress=info@valicert.com
> > TLS certificate verification: Error, unable to get local issuer 
> certificate
> >
> > In slapd.conf I did not do any certificate configuration, as appache
> > will not be connecting with SSL. OpenLDAP runs as root, so all of my
> > SSL configuration is in ~root/.ldaprc. Am I understanding correctly
> > that this is how it should be done. I have double-checked the paths
> > to the cert files, and they are all PEM encoded. I also know the
> > files are valid because Apache is using them for server authentication
> > to the client.
> >
> > Here are what I believe to be the applicable lines from my 
> configuration.
> >
> > /etc/ldap/slapd.conf
> > database ldap
> > suffix "ou=people,dc=dir,dc=svc,dc=DOMAIN,dc=com"
> > uri "ldaps://AD_SERVER.DOMAIN.com:636"
> >
> > ~~root/.ldaprc
> > TLS_CACERT /opt/cert/SSLchain.pem
> > TLS_CERT /opt/cert/host.domain.com.crt
> > TLS_KEY /opt/cert/host.domain.com.key
> > TLS_REQCERT demand
> >
> > Not sure what I'm missing, but I'm new to OpenLDAP so it could be
> > something basic. (I have checked the man pages, other docs, and
> > searched the mailing lists.)
> >
> >
> >
> 
> 
> --
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support
> 
>