RE: Problem with SSL/TLS

[Quanah Gibson-Mount <quanah@zimbra.com>]

--On Monday, April 12, 2010 6:13 PM -0400 Lynn York 
<lynn.york@mavenwire.com> wrote:

> Here is my /etc/openldap/ldap.conf:
>
> uri ldaps://localhost
> base cn=users,dc=testing,dc=com
> tls_cacert /etc/openldap/cacerts/ca.key
> tls_cacertdir /etc/openldap/cacerts
> tls_reqcert allow

You specify *one* of the two options (Either TLS_CACERT or TLS_CACERTDIR). 
Not both.  If you are specifying the file, then it needs to be the cert, 
not the key.


> TLS: could not load verify locations
> (file:`/etc/openldap/cacerts/ca.key',dir:`/etc/openldap/cacerts').

> However, the certs and key's to exist..
>
> ls -al /etc/openldap/cacerts/
> total 44
> drwxr-xr-x 3 ldap ldap 4096 Apr 12 13:48 .
> drwxr-xr-x 4 ldap ldap 4096 Apr 12 18:09 ..
> drwxr-xr-x 2 ldap ldap 4096 Apr 12 13:45 backup
> -rw-r--r-- 1 ldap ldap 1805 Apr 12 13:46 ca.cert
> -rw-r--r-- 1 ldap ldap 1679 Apr 12 13:46 ca.key

What about the permissions on /etc/openldap and /etc/openldap/cacerts?

I.e., if you su - ldap, can you actually read /etc/openldap/cacerts/ca.cert?

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration