Re: Enabling TLS problem on openldap2-2.3.39

[Howard Chu <hyc@symas.com>]

Keagle, Chuck wrote:
> I have yet to even change the error messages when trying:
>
> # ldapsearch -x -Z -H ldap://testsvr.blv.boeing.com -b "" -s base
> 'objectclass=*' '+' '*'
> ldap_start_tls: Connect error (-11)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> ldap_result: Can't contact LDAP server (-1)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> Can anyone point out what I have missed here?

Probably about 2 years sysadmin experience. You ought to use something like 
RCS or CVS to manage your config files. (Yes, despite all the wonders of 
distributed revision control systems, there's still a place in the world for 
RCS.) You've clearly made so many changes you've totally confused yourself. 
You cannot possibly administer a system successfully, making such haphazard 
changes with no logging or rollback capability.

> ***********************************
> Here is /etc/openldap/slapd.conf

You cannot use TLS without the TLSCertificateFile and TLSCertificateKeyFile 
settings. You probably should not use both TLSCACertificatePath and 
TLSCACertificateFile. In general, you should not use TLSCACertificatePath; it 
can lead to strange out-of-resource problems at unpredictable times.

I think you need to re-read the documentation on how to use TLS.

> #CBK Comment out TLSCertificateFile and TLSCertificatekeyFile here.
> #    Also, force encryption
> #CBK end
> #TLSCertificateFile /etc/ssl/servercerts/servercert.pem
> TLSCACertificatePath /etc/ssl/certs/
> TLSCACertificateFile /etc/ssl/certs/ldapServer.pem
> #TLSCertificateKeyFile /etc/ssl/servercerts/serverkey.pem
> TLSCiphersuite HIGH
> security ssf=128
>
> #CBK added for local use on SuSE 9.3
> #TLSCACertificateFile /etc/openldap/cacert.pem
> #TLSCACertificateKeyFile /etc/openldap/ldapServer.key

> #######################################################################
> # bdb database definitions
> #######################################################################
>
> #####
> #  Database Configuration Parameters
> #####
>
> #TLSCertificateFile /etc/openldap/servercert.pem
> #TLSCertificateKeyFile /etc/openldap/serverkey.pem
> database bdb

> ***********************************
> Here is /etc/openldap/ldap.conf
>
> $ cat ldap.conf
> #
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> #CBK Uncommented and set BASE and URI for local environment
> BASE    dc=blv,dc=boeing, dc=com
> URI     ldaps://testsvr.blv.boeing.com
>
> #SIZELIMIT      12
> #TIMELIMIT      15
> #DEREF          never
> TLS_REQCERT allow
> #CBK Added for self-signed certificate
> HOST            testsvr.blv.boeing.com
>
> TLS_CACERT /etc/ssl/certs/ldapServer.pem
>
> Here are the ldap log entries when loglevel = -1

As I've said time and time again, syslog is utterly useless for debugging. 
Read the docs and use *the debug flag* when chasing problems. That's what it's 
there for.
--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/