On Monday 24 October 2005 22:49, John Manning wrote: > On Monday 24 October 2005 19:49, Buchan Milne wrote: > >No, the subject on the server's cert. You should be able to get it (the > >value > >following CN= in the subject line) with OpenSSL's s_client command: > >$ openssl s_client -connect ldaphost:636 > > Firstly, thanks so much for your help. I've made progress as a result > (having been stuck for ages). I did as you suggested above. I got the > following in the first few lines: > > $ openssl s_client -connect ldaphost:636 > CONNECTED(00000003) > depth=1 /O=dev/OU=Organizational CA > verify error:num=19:self signed certificate in certificate chain > verify return:0 This is still the CA cert. Look further down the outout for the server cert. Unfortunately I can't currently show you an example with working CA certs. > > Not sure if the "verify error" in there is terribly ominous or not. You'd want to use the -CApath option to openssl s_client to check the validity of the cert (I omitted that the first time :-(). > Later > on, there was indeed a subject line, as you predicted, with a CN value that > was FQDN-like (say foo.bar.tld). I popped this in /etc/hosts and tried an > ldapsearch: > > $ ldapsearch -v -D "cn=someuser, o=users" -H ldaps://foo.bar.tld:636 -ZZ > ldap_initialize( ldaps://foo.bar.tld:636 ) > ldap_start_tls: Operations error (1) > additional info: TLS is is already established > > At first, I thought this might be due to some redundancy between the > "ldaps" scheme, the 636 port number and the -ZZ option to start TLS. It is. > However, if I change the scheme to just "ldap" or change the port, I can't > connect at all. If I get rid of the -ZZ, it doesn't know which external > SASL mechanism to use. Stuck again. Use -x to disable SASL. > > >You could disable certificate checking in the OpenLDAP ldap.conf (which > >should > >apply to php-ldap too). > > If this is the: > TLS_REQCERT <level> > option, I've tried playing around with that to no avail. It was at "allow" > by default. I changed it to "never" but it didn't affect the above > ldapsearch. At this point you probably want to point OpenLDAP's ldap.conf at the CA cert: TLS_CACERT /path/to/TrustedRootCert.pem Regards, Buchan -- Buchan Milne ISP Systems Specialist B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
Attachment:
pgpl4iEYKSC7k.pgp
Description: PGP signature