[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with SSL/TLS

To: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
Subject: Re: Problem with SSL/TLS
From: Howard Chu <hyc@symas.com>
Date: Mon, 12 Apr 2010 11:08:44 -0700
Cc: "'lynn.york@mavenwire.com'" <lynn.york@mavenwire.com>, "'openldap-technical@openldap.org'" <openldap-technical@openldap.org>
In-reply-to: <6C447584419BFE4E83D46E88F8131486323996274C@EXCH07-05.apollogrp.edu>
References: <6C447584419BFE4E83D46E88F8131486323996274C@EXCH07-05.apollogrp.edu>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.3a4pre) Gecko/20100331 Firefox 3.6

Chris Jacobs wrote:

/etc/ldap.conf is used by nss tools and the ilk.

/etc/openldap/ldap.conf would be used by openldap tools - like ldapsearch.

Actually it's used by libldap, which means everything that uses libldap(including nss_ldap). But of course the converse is not true, /etc/ldap.confonly affects nss_ldap and pam_ldap, not anything else.

I have the same setting there for tls_checkpeer - but in the latter ldap.conf
(under openldap).


tls_checkpeer is not a valid OpenLDAP ldap.conf keyword.

FWIW: there's apparently no real different format for the two files; while one
would only be setup on ldap servers, mine are identical and things work with a

If they are identical and things work, it's by sheer luck. Read theldap.conf(5) manpage. Relying on anything not documented there would be a mistake.

To the original poster: use the ldapsearch debug flag. OpenSSL s_client is nota reliable indicator of anything.

mirror master, both setup behind a VIP (fail over, not load balanced) and a
plethora of slaves in different subdomains.

- chris

PS: I'd forgotten to 'reply-to-all' earlier. :)

Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs@apollogrp.edu

------------------------------------------------------------------------------
*From*: Lynn York
*To*: Chris Jacobs
*Sent*: Mon Apr 12 10:29:19 2010
*Subject*: RE: Problem with SSL/TLS

Here is my /etc/ldap.conf:

#host 127.0.0.1

base cn=users,dc=testing,dc=com

uri ldap://localhost:636

binddn cn=manager,dc=testing,dc=com

bindpw password

scope sub

timelimit 120

bind_policy soft

bind_timelimit 120

idle_timelimit 3600

ssl on

tls_cacert /etc/openldap/cacerts/servercrt.pem

tls_cacertdir /etc/openldap/cacerts

tls_checkpeer no

nss_base_group cn=groups,dc=testing,dc=com?sub

pam_password md5

I have tried it with and without “tls_checkpeer”…. I am sort of at a loss as
to what it can be. I also tested it using openssl client.. and here is the output:

*From*: openldap-technical-bounces+chris.jacobs=apollogrp.edu
<http://apollogrp.edu>@OpenLDAP.org
*To*: openldap-technical@openldap.org <mailto:openldap-technical@openldap.org>
*Sent*: Mon Apr 12 08:13:39 2010
*Subject*: Problem with SSL/TLS

I have created a cert. on the server and openldap starts without any issues,
however when I attempt to connect via ldaps I keep getting the following error:

??

??

ldapsearch -x -H ldaps://localhost:636 -D "cn=Manager,dc=testing,dc=com" -W -b
"dc=testing,dc=com" "(objectClass=top)"

Enter LDAP Password:

ldap_bind: Can't contact LDAP server (-1)

?????????????? additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

??

I can???t quite pin point what the problem might be.??


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- RE: Problem with SSL/TLS
  - From: Lynn York <lynn.york@mavenwire.com>

References:
- Re: Problem with SSL/TLS
  - From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>

Prev by Date: Re: Problem with SSL/TLS
Next by Date: RE: Problem with SSL/TLS
Index(es):
- Chronological
- Thread