[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP as a ldap->ldaps proxy for apache to AD
- To: openldap-software@OpenLDAP.org
- Subject: Re: OpenLDAP as a ldap->ldaps proxy for apache to AD
- From: Don Wood <donald.j.wood@gmail.com>
- Date: Mon, 13 Jun 2005 15:05:48 -0500
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; sūta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:references; b=Fz1+avVgiJV4FUeku0+wWFOJ7WvS2JMRVOTe1GQwRI/p/JoXBPCdHQ5q9SkOrKF4yppMFzfCgXMDJ1pAozNFOYcxIjCHtN0NkD62pYyta0RGOuUiXgypBozixnxrUv5d5S3vroErQNgif7XrCTUMyt4Yh5lewmKBy2KXxnw4l+IReceived: by 10.38.4.77 with SMTP id 77mr39050rnd; Mon, 13 Jun 2005 13:05:49 -0700 (PDT)
- In-reply-to: <42ADE0F1.8030909@symas.com>
- References: <b619abda0506131207762bff9c@mail.gmail.com> <42ADE0F1.8030909@symas.com>
Thanks, and sorry for the omission. I am running OpenLDAP 2.2.23.
Following your advice I tried adding the following lines to my slapd.conf
TLSCACertificateFile /opt/cert/SSLchain.pem
TLSCertificateFile /opt/cert/host.domain.com.crt
TLSCertificateKeyFile /opt/cert/host.domain.com.key
It didn't appear to make any difference, and I still get the "TLS
certificate verification: Error, unable to get local issuer certificate"
error message.
-Don
On 6/13/05, Howard Chu <hyc@symas.com> wrote:
>
> You didn't mention the OpenLDAP version, which is probably significant
> here. In older versions of OpenLDAP a single TLS context was used for
> slapd. In newer versions, there are separate contexts for slapd as a
> server vs slapd as a client (e.g. back-ldap). Try adding the equivalent
> TLS settings to slapd.conf.
>
> Don Wood wrote:
> > Hello,
> >
> > I am having trouble setting up OpenLDAP as a ldap->ldaps proxy for
> > apache to AD authentication. The proxy is running on debian sarge and
> > I am using the standard packages.
> >
> > I can see Apache connecting to OpenLDAP, and OpenLDAP connecting to
> > the AD server, but it appears that there are errors in the bind phase
> > for the SSL connection.
> >
> > When I run "slapd -d 16383" I get the below messages in the dump.
> >
> > TLS trace: SSL_connect:SSLv3 read server hello A
> > TLS certificate verification: depth: 2, err: 20, subject: /O=RSA
> > Security Inc./CN=RSA Public Root CA
> > v1/emailAddress=rsakeonrootsign@rsasecurity.com, issuer: /L=ValiCert
> > Validation Network/O=ValiCert, Inc./OU=ValiCert Class 3 Policy
> > Validation Authority/CN=
> http://www.valicert.com//emailAddress=info@valicert.com
> > TLS certificate verification: Error, unable to get local issuer
> certificate
> >
> > In slapd.conf I did not do any certificate configuration, as appache
> > will not be connecting with SSL. OpenLDAP runs as root, so all of my
> > SSL configuration is in ~root/.ldaprc. Am I understanding correctly
> > that this is how it should be done. I have double-checked the paths
> > to the cert files, and they are all PEM encoded. I also know the
> > files are valid because Apache is using them for server authentication
> > to the client.
> >
> > Here are what I believe to be the applicable lines from my
> configuration.
> >
> > /etc/ldap/slapd.conf
> > database ldap
> > suffix "ou=people,dc=dir,dc=svc,dc=DOMAIN,dc=com"
> > uri "ldaps://AD_SERVER.DOMAIN.com:636"
> >
> > ~~root/.ldaprc
> > TLS_CACERT /opt/cert/SSLchain.pem
> > TLS_CERT /opt/cert/host.domain.com.crt
> > TLS_KEY /opt/cert/host.domain.com.key
> > TLS_REQCERT demand
> >
> > Not sure what I'm missing, but I'm new to OpenLDAP so it could be
> > something basic. (I have checked the man pages, other docs, and
> > searched the mailing lists.)
> >
> >
> >
>
>
> --
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support
>
>