[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enabling TLS problem on openldap2-2.3.39

To: openldap-software@openldap.org
Subject: Re: Enabling TLS problem on openldap2-2.3.39
From: Michael Ströder <michael@stroeder.com>
Date: Thu, 22 Nov 2007 11:29:33 +0100
In-reply-to: <Pine.BSO.4.64.0711212236260.5957@vanye.mho.net>
References: <0E9A8FE5719275499AA143D64E0C0FF6049909FE@XCH-NW-1V2.nw.nos.boeing.com><090BE73AF1A87957DAF7DCF3@[192.168.0.198]> <0E9A8FE5719275499AA143D64E0C0FF6049909FF@XCH-NW-1V2.nw.nos.boeing.com> <0E9A8FE5719275499AA143D64E0C0FF604990A00@XCH-NW-1V2.nw.nos.boeing.com> <4742ED77.3010101@symas.com> <0E9A8FE5719275499AA143D64E0C0FF604990A0A@XCH-NW-1V2.nw.nos.boeing.com> <Pine.BSO.4.64.0711212236260.5957@vanye.mho.net>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.9) Gecko/20071030 SeaMonkey/1.1.6

Philip Guenther wrote:
> On Wed, 21 Nov 2007, Keagle, Chuck wrote:
>> I have yet to even change the error messages when trying:
>>
>> # ldapsearch -x -Z -H ldap://testsvr.blv.boeing.com -b "" -s base
>> 'objectclass=*' '+' '*'
>> ldap_start_tls: Connect error (-11)
>>        additional info: error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> 
> Looks to me like slapd is sending its cert, but either
> 1) it doesn't match the hostname in the URI (testsvr.blv.boeing.com), or
> 2) none of the CAs 'above' it are in the set of CAs trusted to ldapsearch.
> 
> So, what's the output of
>      openssl x509 -text -noout -in /path/to/servers/cert/here.pem

I'd recommend to also configure LDAPS on separate port 636 by starting with

slapd -H "ldap://... ldaps://..."

and then use command
openssl s_client with either command-line option -CApath or -CAfile
to check whether everything is in place at the SSL/TLS level. openssl
s_client gives you nice debug log right to the console. If everything's
working then startTLS ext. op. should also work.

Ciao, Michael.

-- 
Michael Ströder
E-Mail: michael@stroeder.com
http://www.stroeder.com

References:
- Enabling TLS problem on openldap2-2.3.39
  - From: "Keagle, Chuck" <chuck.keagle@boeing.com>
- Re: Enabling TLS problem on openldap2-2.3.39
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- RE: Enabling TLS problem on openldap2-2.3.39
  - From: "Keagle, Chuck" <chuck.keagle@boeing.com>
- RE: Enabling TLS problem on openldap2-2.3.39
  - From: "Keagle, Chuck" <chuck.keagle@boeing.com>
- Re: Enabling TLS problem on openldap2-2.3.39
  - From: Howard Chu <hyc@symas.com>
- RE: Enabling TLS problem on openldap2-2.3.39
  - From: "Keagle, Chuck" <chuck.keagle@boeing.com>
- RE: Enabling TLS problem on openldap2-2.3.39
  - From: Philip Guenther <guenther+ldapsoft@sendmail.com>

Prev by Date: Re: Error in setting the values of Custom objectClass in openldap
Next by Date: back_ldap, rwm & saslautheticated users
Index(es):
- Chronological
- Thread