[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Enabling TLS problem on openldap2-2.3.39

To: "Keagle, Chuck" <chuck.keagle@boeing.com>, openldap-software@openldap.org
Subject: RE: Enabling TLS problem on openldap2-2.3.39
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Mon, 19 Nov 2007 18:36:56 -0800
Content-disposition: inline
In-reply-to: <0E9A8FE5719275499AA143D64E0C0FF604990A01@XCH-NW-1V2.nw.nos.boeing.com>
References: <0E9A8FE5719275499AA143D64E0C0FF6049909FE@XCH-NW-1V2.nw.nos.boeing.com> <090BE73AF1A87957DAF7DCF3@[192.168.0.198]> <0E9A8FE5719275499AA143D64E0C0FF6049909FF@XCH-NW-1V2.nw.nos.boeing.com> <0E9A8FE5719275499AA143D64E0C0FF604990A00@XCH-NW-1V2.nw.nos.boeing.com> <0E9A8FE5719275499AA143D64E0C0FF604990A01@XCH-NW-1V2.nw.nos.boeing.com>

--On November 19, 2007 5:34:14 PM -0800 "Keagle, Chuck" <chuck.keagle@boeing.com> wrote:

System in SLES 9.3 running openldap 2.3.39
I tried to create the x509 hash and it still failed the same way.

Here are the entries in slapd.conf (all in global section):

    TLSCertificateFile /etc/ssl/servercerts/servercert.pem
    TLSCertificateKeyFile /etc/ssl/servercerts/serverkey.pem
    TLSCACertificatePath /etc/ssl/certs/
    TLSCACertificateFile /etc/openldap/ldapServer.crt
    TLSCACertificateKeyFile /etc/openldap/ldapServer.key

Pick one, or the other, format. Do not use both. I suggest the TLSCACertificatePath method with a hash. It is the only thing that has worked consistently for me (appears to be an openssl issue).

It fails exactly the same way:

    # ldapsearch -x -Z -H ldap://testsvr.blv.boeing.com -b "" -s base
'objectclass=*' '+' '*'
    ldap_start_tls: Connect error (-11)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    ldap_result: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Did you ever set up ldap.conf/.ldaprc as I noted, with the pointers to the CA cert and hash, as I noted was required? Also, the pem file for the CA cert does not need to contain the key. Probably better for it not to, really.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

References:
- Enabling TLS problem on openldap2-2.3.39
  - From: "Keagle, Chuck" <chuck.keagle@boeing.com>
- Re: Enabling TLS problem on openldap2-2.3.39
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- RE: Enabling TLS problem on openldap2-2.3.39
  - From: "Keagle, Chuck" <chuck.keagle@boeing.com>
- RE: Enabling TLS problem on openldap2-2.3.39
  - From: "Keagle, Chuck" <chuck.keagle@boeing.com>
- RE: Enabling TLS problem on openldap2-2.3.39
  - From: "Keagle, Chuck" <chuck.keagle@boeing.com>

Prev by Date: RE: Enabling TLS problem on openldap2-2.3.39
Next by Date: pcache configuration
Index(es):
- Chronological
- Thread