Thank you so much, Rich, for your help. Do you know if there are existing tools (perhaps already bundled with OpenSSL) that I can run to extract the CA certs to .pem files from /path/to/ldap_certdb? certutil -d /path/to/ldap_certdb -L # list the certs Via OpenLDAP client, I’ve been able to connect to Microsoft Active Directory Server over SSL by setting this the CACERTFILE option, like this: ldap_set_option( NULL, LDAP_OPT_X_TLS_CACERTFILE, cert_file); ß this works However, I am still NOT able to accomplish the same by setting the CACERTDIR option ldap_set_option( ld, LDAP_OPT_X_TLS_CACERTDIR, cert_dir); ß this does NOT work When option LDAP_OPT_X_TLS_CACERTDIR is used, I am getting this error: slapd-search PID=7083: ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I am just wondering if OpenSSL looks for specific file names (or specific patterns of file names) under the cert_dir? Here’s my test using openssl from command line to test SSL connectivity to Microsoft Active Directory Server over SSL. Please note the highlighted texts. This test was run on a Linux machine. Note that if I specify -CAfile option, the connection was successful. But if I use -CApath option, the connection would fail with error “Verify return code: 21 (unable to verify the first certificate)”. Any input/feedback would be much appreciated. Thanks. Daisy % pwd /home/dmadmin/ldap_certdb % % ls -altr total 12 drwx------ 28 dmadmin dmadmin 4096 Sep 1 13:41 ../ -rw-r--r-- 1 dmadmin dmadmin 1692 Sep 1 14:56 adrootca.pem drwxr-xr-x 2 dmadmin dmadmin 4096 Sep 1 14:56 ./ % ################################################################ # asn1parse is to verify that openssl can parse the PEM file ################################################################ % openssl asn1parse -inform PEM -in ./adrootca.pem 0:d=0 hl=4 l=1204 cons: SEQUENCE 4:d=1 hl=4 l= 924 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 16 prim: INTEGER :61DA1E03CCBF4A954385F1079D134B5E 31:d=2 hl=2 l= 13 cons: SEQUENCE 33:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption 44:d=3 hl=2 l= 0 prim: NULL 46:d=2 hl=2 l= 93 cons: SEQUENCE 48:d=3 hl=2 l= 19 cons: SET 50:d=4 hl=2 l= 17 cons: SEQUENCE 52:d=5 hl=2 l= 10 prim: OBJECT :domainComponent 64:d=5 hl=2 l= 3 prim: IA5STRING :com 69:d=3 hl=2 l= 24 cons: SET 71:d=4 hl=2 l= 22 cons: SEQUENCE 73:d=5 hl=2 l= 10 prim: OBJECT :domainComponent 85:d=5 hl=2 l= 8 prim: IA5STRING :dctmlabs 95:d=3 hl=2 l= 25 cons: SET 97:d=4 hl=2 l= 23 cons: SEQUENCE 99:d=5 hl=2 l= 10 prim: OBJECT :domainComponent 111:d=5 hl=2 l= 9 prim: IA5STRING :adldap112 122:d=3 hl=2 l= 17 cons: SET 124:d=4 hl=2 l= 15 cons: SEQUENCE 126:d=5 hl=2 l= 3 prim: OBJECT :commonName 131:d=5 hl=2 l= 8 prim: PRINTABLESTRING :adrootca 141:d=2 hl=2 l= 30 cons: SEQUENCE 143:d=3 hl=2 l= 13 prim: UTCTIME :100914235940Z 158:d=3 hl=2 l= 13 prim: UTCTIME :150915000848Z 173:d=2 hl=2 l= 93 cons: SEQUENCE 175:d=3 hl=2 l= 19 cons: SET 177:d=4 hl=2 l= 17 cons: SEQUENCE 179:d=5 hl=2 l= 10 prim: OBJECT :domainComponent 191:d=5 hl=2 l= 3 prim: IA5STRING :com 196:d=3 hl=2 l= 24 cons: SET 198:d=4 hl=2 l= 22 cons: SEQUENCE 200:d=5 hl=2 l= 10 prim: OBJECT :domainComponent 212:d=5 hl=2 l= 8 prim: IA5STRING :dctmlabs 222:d=3 hl=2 l= 25 cons: SET 224:d=4 hl=2 l= 23 cons: SEQUENCE 226:d=5 hl=2 l= 10 prim: OBJECT :domainComponent 238:d=5 hl=2 l= 9 prim: IA5STRING :adldap112 249:d=3 hl=2 l= 17 cons: SET 251:d=4 hl=2 l= 15 cons: SEQUENCE 253:d=5 hl=2 l= 3 prim: OBJECT :commonName 258:d=5 hl=2 l= 8 prim: PRINTABLESTRING :adrootca 268:d=2 hl=4 l= 290 cons: SEQUENCE 272:d=3 hl=2 l= 13 cons: SEQUENCE 274:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption 285:d=4 hl=2 l= 0 prim: NULL 287:d=3 hl=4 l= 271 prim: BIT STRING 562:d=2 hl=4 l= 366 cons: cont [ 3 ] 566:d=3 hl=4 l= 362 cons: SEQUENCE 570:d=4 hl=2 l= 11 cons: SEQUENCE 572:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage 577:d=5 hl=2 l= 4 prim: OCTET STRING 583:d=4 hl=2 l= 15 cons: SEQUENCE 585:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints 590:d=5 hl=2 l= 1 prim: BOOLEAN :255 593:d=5 hl=2 l= 5 prim: OCTET STRING 600:d=4 hl=2 l= 29 cons: SEQUENCE 602:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier 607:d=5 hl=2 l= 22 prim: OCTET STRING 631:d=4 hl=4 l= 279 cons: SEQUENCE 635:d=5 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points 640:d=5 hl=4 l= 270 prim: OCTET STRING 914:d=4 hl=2 l= 16 cons: SEQUENCE 916:d=5 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.21.1 927:d=5 hl=2 l= 3 prim: OCTET STRING 932:d=1 hl=2 l= 13 cons: SEQUENCE 934:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption 945:d=2 hl=2 l= 0 prim: NULL 947:d=1 hl=4 l= 257 prim: BIT STRING % % pwd /home/dmadmin/ldap_certdb % % ls -altr total 12 drwx------ 28 dmadmin dmadmin 4096 Sep 1 13:41 ../ -rw-r--r-- 1 dmadmin dmadmin 1692 Sep 1 14:56 adrootca.pem drwxr-xr-x 2 dmadmin dmadmin 4096 Sep 1 14:56 ./ % ################################################################ # this is to show that we can connect to MS AD over SSL using # -CAfile option ################################################################ % openssl s_client -CAfile /home/dmadmin/ldap_certdb/adrootca.pem -connect ldap112.adldap112.dctmlabs.com:636 CONNECTED(00000003) depth=1 /DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca verify return:1 depth=0 /CN=Ldap112.adldap112.dctmlabs.com verify return:1 --- Certificate chain 0 s:/CN=Ldap112.adldap112.dctmlabs.com i:/DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca --- Server certificate -----BEGIN CERTIFICATE----- MIIGDjCCBPagAwIBAgIKYQK0zwAAAAAAAjANBgkqhkiG9w0BAQUFADBdMRMwEQYK CZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIZGN0bWxhYnMxGTAXBgoJ kiaJk/IsZAEZFglhZGxkYXAxMTIxETAPBgNVBAMTCGFkcm9vdGNhMB4XDTEwMDkx NTAwMDYxM1oXDTExMDkxNTAwMDYxM1owKTEnMCUGA1UEAxMeTGRhcDExMi5hZGxk YXAxMTIuZGN0bWxhYnMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP Cegjeu/QvyTVawtFHKG28fLIKCBIK3dDWvhu+FqWRfR3L501iveTvfwT4AlR81QN PImgg3btl5Z0LmN5Z/sccsQAPNEcgDNNP3Zv5G6AXx4Gpo7xhtr8YnYDoPGAzBGm vXlb1TEA8fdrNwqY6Mf5PxwKKDc80Y3EFQaefUhnpwIDAQABo4IDhjCCA4IwCwYD VR0PBAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqG SIb3DQMEAgIAgDAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUR2vcMrg6 VIc9GWdVhcJQ6RMK6z8wLwYJKwYBBAGCNxQCBCIeIABEAG8AbQBhAGkAbgBDAG8A bgB0AHIAbwBsAGwAZQByMB8GA1UdIwQYMBaAFAjwh8G60+A+gE5OmKRW48UVixJT MIIBFwYDVR0fBIIBDjCCAQowggEGoIIBAqCB/4aBvWxkYXA6Ly8vQ049YWRyb290 Y2EsQ049TGRhcDExMixDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZGxkYXAxMTIsREM9ZGN0 bWxhYnMsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmpl Y3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY9aHR0cDovL2xkYXAxMTIuYWRs ZGFwMTEyLmRjdG1sYWJzLmNvbS9DZXJ0RW5yb2xsL2Fkcm9vdGNhLmNybDCCATQG CCsGAQUFBwEBBIIBJjCCASIwgbUGCCsGAQUFBzAChoGobGRhcDovLy9DTj1hZHJv b3RjYSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj ZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZGxkYXAxMTIsREM9ZGN0bWxhYnMsREM9 Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9u QXV0aG9yaXR5MGgGCCsGAQUFBzAChlxodHRwOi8vbGRhcDExMi5hZGxkYXAxMTIu ZGN0bWxhYnMuY29tL0NlcnRFbnJvbGwvTGRhcDExMi5hZGxkYXAxMTIuZGN0bWxh YnMuY29tX2Fkcm9vdGNhLmNydDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH AwEwSgYDVR0RBEMwQaAfBgkrBgEEAYI3GQGgEgQQIKbIE/h5Z0O8me1tD3x+PYIe TGRhcDExMi5hZGxkYXAxMTIuZGN0bWxhYnMuY29tMA0GCSqGSIb3DQEBBQUAA4IB AQA5oCkrV1fXoH+4yuWnifXnsOKVx8hKKBmzG6CJN4xld06HoyYgYvN9xLtJ1k44 3QSddouNNmvh3ciC2nwjpBQMG3L1kWhyFvgNqmF3nYxZT7HVM8/6ZramuPEd+rP/ YiQdK9udHbshQ1H6Q0I4LvXOJ4RutWALmDP0SZVJNhZrMRx01beTC1lvL7ZeTxlj VqEl1eGKUbdvYSO2AdRFrDa8wbPxvyLQimoEzpkOQ8K4oQmw4RPOESExZFlZMcrA eTahGzk0nV4q6faqqHF+0zkNUGR3F2QUmP6sngRT24cA4JMGNd9ElpvP6R/dPP/X X30TPzHjRFWW7H6QlMzHCaGw -----END CERTIFICATE----- subject=/CN=Ldap112.adldap112.dctmlabs.com issuer=/DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca --- Acceptable client certificate CA names /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/emailAddress=personal-freemail@thawte.com /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Premium CA/emailAddress=personal-premium@thawte.com /C=US/O=First Data Digital Certificates Inc./CN=First Data Digital Certificates Inc. Certification Authority /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Basic CA/emailAddress=personal-basic@thawte.com /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Uzleti (Class B) Tanusitvanykiado /C=US/O=GTE Corporation/CN=GTE CyberTrust Root /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority /C=HU/ST=Hungary/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Expressz (Class C) Tanusitvanykiado /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority /DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority --- SSL handshake has read 4876 bytes and written 336 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: 241B0000644FB22AA0610F736E0E6F004526943A9F0935F16BDBC9FBB1F07113 Session-ID-ctx: Master-Key: 8179FE65F974D286ED8550213CD8F2ED382CC62BBC03C1C50173E78CC6A6C322273882477FAE62546BC3145978C1F4DD Key-Arg : None Krb5 Principal: None Start Time: 1314914412 Timeout : 300 (sec) Verify return code: 0 (ok) --- read:errno=0 % % pwd /home/dmadmin/ldap_certdb % % ls -altr total 12 drwx------ 28 dmadmin dmadmin 4096 Sep 1 13:41 ../ -rw-r--r-- 1 dmadmin dmadmin 1692 Sep 1 14:56 adrootca.pem drwxr-xr-x 2 dmadmin dmadmin 4096 Sep 1 14:56 ./ % ################################################################ # however, using –CApath option to connect to MS AD over SSL would # result in failure ################################################################ % openssl s_client -CApath /home/dmadmin/ldap_certdb -connect ldap112.adldap112.dctmlabs.com:636 CONNECTED(00000003) depth=0 /CN=Ldap112.adldap112.dctmlabs.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=Ldap112.adldap112.dctmlabs.com verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=Ldap112.adldap112.dctmlabs.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=Ldap112.adldap112.dctmlabs.com i:/DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca --- Server certificate -----BEGIN CERTIFICATE----- MIIGDjCCBPagAwIBAgIKYQK0zwAAAAAAAjANBgkqhkiG9w0BAQUFADBdMRMwEQYK CZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIZGN0bWxhYnMxGTAXBgoJ kiaJk/IsZAEZFglhZGxkYXAxMTIxETAPBgNVBAMTCGFkcm9vdGNhMB4XDTEwMDkx NTAwMDYxM1oXDTExMDkxNTAwMDYxM1owKTEnMCUGA1UEAxMeTGRhcDExMi5hZGxk YXAxMTIuZGN0bWxhYnMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP Cegjeu/QvyTVawtFHKG28fLIKCBIK3dDWvhu+FqWRfR3L501iveTvfwT4AlR81QN PImgg3btl5Z0LmN5Z/sccsQAPNEcgDNNP3Zv5G6AXx4Gpo7xhtr8YnYDoPGAzBGm vXlb1TEA8fdrNwqY6Mf5PxwKKDc80Y3EFQaefUhnpwIDAQABo4IDhjCCA4IwCwYD VR0PBAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqG SIb3DQMEAgIAgDAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUR2vcMrg6 VIc9GWdVhcJQ6RMK6z8wLwYJKwYBBAGCNxQCBCIeIABEAG8AbQBhAGkAbgBDAG8A bgB0AHIAbwBsAGwAZQByMB8GA1UdIwQYMBaAFAjwh8G60+A+gE5OmKRW48UVixJT MIIBFwYDVR0fBIIBDjCCAQowggEGoIIBAqCB/4aBvWxkYXA6Ly8vQ049YWRyb290 Y2EsQ049TGRhcDExMixDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZGxkYXAxMTIsREM9ZGN0 bWxhYnMsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmpl Y3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY9aHR0cDovL2xkYXAxMTIuYWRs ZGFwMTEyLmRjdG1sYWJzLmNvbS9DZXJ0RW5yb2xsL2Fkcm9vdGNhLmNybDCCATQG CCsGAQUFBwEBBIIBJjCCASIwgbUGCCsGAQUFBzAChoGobGRhcDovLy9DTj1hZHJv b3RjYSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj ZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZGxkYXAxMTIsREM9ZGN0bWxhYnMsREM9 Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9u QXV0aG9yaXR5MGgGCCsGAQUFBzAChlxodHRwOi8vbGRhcDExMi5hZGxkYXAxMTIu ZGN0bWxhYnMuY29tL0NlcnRFbnJvbGwvTGRhcDExMi5hZGxkYXAxMTIuZGN0bWxh YnMuY29tX2Fkcm9vdGNhLmNydDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH AwEwSgYDVR0RBEMwQaAfBgkrBgEEAYI3GQGgEgQQIKbIE/h5Z0O8me1tD3x+PYIe TGRhcDExMi5hZGxkYXAxMTIuZGN0bWxhYnMuY29tMA0GCSqGSIb3DQEBBQUAA4IB AQA5oCkrV1fXoH+4yuWnifXnsOKVx8hKKBmzG6CJN4xld06HoyYgYvN9xLtJ1k44 3QSddouNNmvh3ciC2nwjpBQMG3L1kWhyFvgNqmF3nYxZT7HVM8/6ZramuPEd+rP/ YiQdK9udHbshQ1H6Q0I4LvXOJ4RutWALmDP0SZVJNhZrMRx01beTC1lvL7ZeTxlj VqEl1eGKUbdvYSO2AdRFrDa8wbPxvyLQimoEzpkOQ8K4oQmw4RPOESExZFlZMcrA eTahGzk0nV4q6faqqHF+0zkNUGR3F2QUmP6sngRT24cA4JMGNd9ElpvP6R/dPP/X X30TPzHjRFWW7H6QlMzHCaGw -----END CERTIFICATE----- subject=/CN=Ldap112.adldap112.dctmlabs.com issuer=/DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca --- Acceptable client certificate CA names /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/emailAddress=personal-freemail@thawte.com /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Premium CA/emailAddress=personal-premium@thawte.com /C=US/O=First Data Digital Certificates Inc./CN=First Data Digital Certificates Inc. Certification Authority /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Basic CA/emailAddress=personal-basic@thawte.com /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Uzleti (Class B) Tanusitvanykiado /C=US/O=GTE Corporation/CN=GTE CyberTrust Root /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority /C=HU/ST=Hungary/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Expressz (Class C) Tanusitvanykiado /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority /DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority --- SSL handshake has read 4876 bytes and written 336 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: BF23000064323B11B2099A50A14680DE060F074784C443841FB5403C7C3D98EA Session-ID-ctx: Master-Key: D81EF5A0B204DB8E5DDAED7EF38170920787D13B45245EF7C4CD199A61F44745F72EF7EAFCD8DDFF241843253A64708B Key-Arg : None Krb5 Principal: None Start Time: 1314914477 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- read:errno=0 % % From: Rich Megginson [mailto:rich.megginson@gmail.com] On 08/31/2011 08:23 AM, daisy.wu@emc.com wrote: Thank you Rich. extract your CA certificates from /path/to/ldap_certdb to pem file(s) and use those files instead of using the cert/key db. Do you know if there are existing tools (perhaps already bundled with OpenSSL) that I can run to extract the CA certs to .pem files from /path/to/ldap_certdb? certutil -d /path/to/ldap_certdb -L # list the certs Thanks in advance. Daisy From: Rich Megginson [mailto:rich.megginson@gmail.com] On 08/30/2011 11:26 PM, daisy.wu@emc.com wrote: Thank you so much, Rich, for your reply. In this call char *cert_path="/path/to/ldap_certdb"; rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CACERTDIR, &cert_path); printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, %s)=%d, error=%s\n", cert_path, rc, ldap_err2string(rc)); /path/to/ldap_certdb is actually a directory, the files under it are like this: % ls –altr /path/to/ldap_certdb total 56 -rw-r--r-- 1 dmadmin dmadmin 16384 Sep 14 2010 secmod.db -rw-r--r-- 1 dmadmin dmadmin 16384 Sep 14 2010 key3.db -rw-r--r-- 1 dmadmin dmadmin 16384 Sep 14 2010 cert7.db drwx------ 27 dmadmin dmadmin 4096 Aug 30 22:14 ../ drwxr-xr-x 2 dmadmin dmadmin 4096 Aug 30 22:14 ./ % My simple test program (for testing LDAP SSL connection to AD server) using Mozilla LDAP C-SDK looks something like this (this test program works, connecting to AD over SSL works fine): Right. The reason it works fine is because mozldap uses moznss for crypto - you are using a build of openldap that uses openssl for crypto. You will need to either rebuild openldap to use moznss for crypto, or extract your CA certificates from /path/to/ldap_certdb to pem file(s) and use those files instead of using the cert/key db. if (ldapssl_client_init("/path/to/ldap_certdb", NULL ) < 0) { perror("ldapssl_client_init"); return 1; } ld = ldapssl_init( host, port, 1); if ( ld == NULL ) { perror("ldapssl_init"); return 1; } if ((rc = ldap_simple_bind_s( ld, bind_dn, bind_password)) != LDAP_SUCCESS) { ldap_perror(ld, "ldap_simple_bind_s"); return 1; } However, the following equivalent code using OpenLDAP (built with RSA Share Adpator and RSA MES) does not work. It failed with error “ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed” ldap_initialize( &ld, uri ); if ( ld == NULL ) { tester_perror( "ldap_initialize", NULL ); exit( EXIT_FAILURE ); } rc = ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version ); printf("rc=ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, %d)=%d, error=%s\n", version, rc, ldap_err2string(rc)); rc = ldap_set_option( ld, LDAP_OPT_REFERRALS, chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF ); printf("rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, %d)=%d, error=%s\n", chaserefs, rc, ldap_err2string(rc)); int debug_flag1 = -1; // LDAP_DEBUG_ANY ; rc = ldap_set_option( ld, LDAP_OPT_DEBUG_LEVEL, &debug_flag1); printf("rc=ldap_set_option(ld, LDAP_OPT_DEBUG_LEVEL, %d)=%d, error=%s\n", debug_flag1, rc, ldap_err2string(rc)); char *cert_path="/path/to/ldap_certdb"; // this is directory rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CACERTDIR, &cert_path); printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, %s)=%d, error=%s\n", cert_path, rc, ldap_err2string(rc)); int reqcert = LDAP_OPT_X_TLS_ALLOW; rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert); printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, %d)=%d, error=%s\n", reqcert, rc, ldap_err2string(rc)); rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, NULL, NULL ); if ( rc != LDAP_SUCCESS ) { tester_ldap_error( ld, "ldap_sasl_bind_s", NULL ); switch ( rc ) { case LDAP_BUSY: case LDAP_UNAVAILABLE: /* fallthru */ default: break; } exit( EXIT_FAILURE ); } From: Rich Megginson [mailto:rich.megginson@gmail.com] On 08/30/2011 07:09 PM, daisy.wu@emc.com wrote: I am trying to write a simple client test program using OpenLDAP client API to connect to Microsoft Active Directory Server over SSL. Below is code snippet. The program failed to connect. It failed because of this error: ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I know there’s no problem with LDAP certificate store /path/to/ldap_certdb because a simple LDAP client test program written in Mozilla LDAP C-SDK worked fine connecting to this same AD server, over SSL. I need to know if I am using the correct OpenLDAP client API calls. Yes, but it looks like you are using OpenLDAP built with openssl, not Mozilla NSS. If your OpenLDAP is provided by some vendor, and you cannot change/rebuild with moznss support, you'll have to export the CA certificate(s) from the /path/to/ldap_certdb and pass them to OpenLDAP with either a single file and LDAP_OPT_X_TLS_CACERTFILE or an openssl style ca cert dir with LDAP_OPT_X_TLS_CACERTDIR. Any input would be much appreciated. Thanks. Source Code: ldap_initialize( &ld, uri ); if ( ld == NULL ) { tester_perror( "ldap_initialize", NULL ); exit( EXIT_FAILURE ); } rc = ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version ); printf("rc=ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, %d)=%d, error=%s\n", version, rc, ldap_err2string(rc)); rc = ldap_set_option( ld, LDAP_OPT_REFERRALS, chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF ); printf("rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, %d)=%d, error=%s\n", chaserefs, rc, ldap_err2string(rc)); int debug_flag1 = -1; // LDAP_DEBUG_ANY ; rc = ldap_set_option( ld, LDAP_OPT_DEBUG_LEVEL, &debug_flag1); printf("rc=ldap_set_option(ld, LDAP_OPT_DEBUG_LEVEL, %d)=%d, error=%s\n", debug_flag1, rc, ldap_err2string(rc)); char *cert_path="/path/to/ldap_certdb"; rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CACERTDIR, &cert_path); printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, %s)=%d, error=%s\n", cert_path, rc, ldap_err2string(rc)); int reqcert = LDAP_OPT_X_TLS_ALLOW; rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert); printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, %d)=%d, error=%s\n", reqcert, rc, ldap_err2string(rc)); rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, NULL, NULL ); if ( rc != LDAP_SUCCESS ) { tester_ldap_error( ld, "ldap_sasl_bind_s", NULL ); switch ( rc ) { case LDAP_BUSY: case LDAP_UNAVAILABLE: /* fallthru */ default: break; } exit( EXIT_FAILURE ); } Here’s program output: rc=ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 3)=0, error=Success rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, 0)=0, error=Success rc=ldap_set_option(ld, LDAP_OPT_DEBUG_LEVEL, -1)=0, error=Success rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, /path/to/ldap_certdb)=0, error=Success rc=ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, 3)=0, error=Success PID=4781 - Search(2): base="OU=people,OU=documentum,DC=adldap112,DC=dctmlabs,DC=com", filter="cn=aduser2*" attr="cn". slapd-search PID=4781: ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed From: Wu, Daisy Hi, OpenLDAP developers, Do you have any sample test programs (or code snippets) that uses OpenLDAP client API to connect to LDAP server over SSL? Thanks in advance. Daisy |