Philip Guenther wrote:
On Wed, 21 Nov 2007, Keagle, Chuck wrote:
I have yet to even change the error messages when trying:
# ldapsearch -x -Z -H ldap://testsvr.blv.boeing.com -b "" -s base 'objectclass=*' '+' '*' ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Looks to me like slapd is sending its cert, but either
- it doesn't match the hostname in the URI (testsvr.blv.boeing.com), or
- none of the CAs 'above' it are in the set of CAs trusted to ldapsearch.
So, what's the output of openssl x509 -text -noout -in /path/to/servers/cert/here.pem
I'd recommend to also configure LDAPS on separate port 636 by starting with
slapd -H "ldap://... ldaps://..."
and then use command openssl s_client with either command-line option -CApath or -CAfile to check whether everything is in place at the SSL/TLS level. openssl s_client gives you nice debug log right to the console. If everything's working then startTLS ext. op. should also work.
Ciao, Michael.