[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: open LDAP + TLS/SSL bind Failed.



On Friday, 16 September 2011 09:57:14 vijay s sheelavantar wrote:

> I have created the

(self-signed)

> TLS certificates using following command on the server.
> 
> openssl req -newkey rsa:1024 -x509 -nodes -out \ server.pem -keyout
> server.pem -days 3650
> 
> and I have created the client.pem by copying CERTIFICATE portion of the
> server.pem.
> 
> When my client try to connect to the server I get following errors.
> 
> TLS trace: SSL3 alert read:fatal:unknown CA

This error is quite clear, surely you should know what the problem is?

[...]

> #TLS Certificate section
> TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
> TLSCACertificateFile /etc/openldap/cacerts/server.pem
> TLSCertificateFile /etc/openldap/cacerts/server.pem
> TLSCertificateKeyFile /etc/openldap/cacerts/server.pem
> TLSVerifyClient allow
> 
> and client side ldap.conf 
> 
> base dc=samsung,dc=com
> uri ldaps://10.254.204.181/
> TLS_CACERT /etc/openldap/cacerts/client.pem
> pam_password md5

1)You may want to consider keeping your /etc/ldap.conf and 
/etc/openldap/ldap.conf separate, otherwise you may run into problems (such as 
TLS_CACERT vs tls_cacertfile). Please consult 'man ldap.conf', 'man pam_ldap', 
and 'man nss_ldap'.

2)The client needs to have the CA certificate, since you are using a self-
signed certificate (and really, you should reconsider this if you are doing 
anything but a single-server single-client setup), that would be the 
certificate 'server.pem' (you didn't say what is in client.pem, but according 
to the error message, either (1) is your problem, or client.pem is not the 
self-signed certificate you generated above.

3)Once you get past teh 'unknown CA' problem, most likely your next problem 
will be caused by using the IP address in uri.

Please, think about what your browser does when checking certificates 
presented by servers when you visit https URLs, everything that applies there 
applies here.

Regards,
Buchan