[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: getting ca/ca subordinate cert to work with openldap



On Monday, 8 March 2010 21:55:51 Chris Jacobs wrote:
> Hello,
> 
> I'm having a heck of a time getting certs to function correctly.  This
>  server is being setup with another server in mirrormode - and currently
>  they cannot talk to each other (or themselves when using ldapsearch).
> 
> We have a root CA, with a subordinate CA used to sign the cert our ldap
>  server is using.
> 
> I have both appended to the /etc/pki/tls/certs/ca-bundle.crt file (CentOS5)
>  - root first, sub second.
> 
> I have both (also in the same order) in the cacert.pem used by slapd.conf. 
>  TLS directives: TLSCACertificateFile    /etc/openldap/cacerts/cacert.pem
> TLSCertificateFile      /etc/openldap/cacerts/ldapcrt.pem
> TLSCertificateKeyFile   /etc/openldap/cacerts/ldapkey.pem



> # ldapsearch -H ldaps://localhost/
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>         additional info: error:14090086:SSL
>  routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
>  signed certificate in certificate chain)

Add:

TLS_CACERT /etc/openldap/cacerts/cacert.pem

to /etc/openldap/ldap.conf

(see 'man ldap.conf').

Most likely it will now fail validation unless your subject CN is "localhost", 
the hostname you provide to ldapsearch should be the one that matches the 
subject CN on the cert (or, subjectAltNames).

Regards,
Buchan