Fri, Nov 19, 2010 at 02:58:30PM -0200, Márcio Luciano Donada wrote: > Hi list, > When using TLS, I have information that I'm using a self-signed > certificate, as shown below: > > # ldapsearch -x -d5 -b 'ou=Usuarios,dc=xx,dc=com,dc=br' -H > ldaps://121.1.1.97/ '(objectclass=*)' > ldap_url_parse_ext(ldaps://121.1.1.97/) > ldap_create > ldap_url_parse_ext(ldaps://121.1.1.97:636/??base) > ldap_sasl_bind > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP 121.1.1.97:636 > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying 121.1.1.97:636 > ldap_pvt_connect: fd: 3 tm: -1 async: 0 > TLS trace: SSL_connect:before/connect initialization > TLS trace: SSL_connect:SSLv2/v3 write client hello A > TLS trace: SSL_connect:SSLv3 read server hello A > TLS certificate verification: depth: 0, err: 18, subject: > /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br, issuer: > -State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br > TLS certificate verification: Error, self signed certificate > TLS trace: SSL3 alert write:fatal:unknown CA > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS: can't connect: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self > signed certificate). > ldap_err2string > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) OpenLDAP is quite picky about correct certificate chains. You really should create a full certificate chain, that is, a ca, a server certificate and a server key. -Dieter -- Dieter Klünter | Systemberatung sip: 7770535@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Attachment:
pgpAIZT28r172.pgp
Description: PGP signature