Keagle, Chuck wrote:
I have yet to even change the error messages when trying:
# ldapsearch -x -Z -H ldap://testsvr.blv.boeing.com -b "" -s base 'objectclass=*' '+' '*' ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ldap_result: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Can anyone point out what I have missed here?
Probably about 2 years sysadmin experience. You ought to use something like RCS or CVS to manage your config files. (Yes, despite all the wonders of distributed revision control systems, there's still a place in the world for RCS.) You've clearly made so many changes you've totally confused yourself. You cannot possibly administer a system successfully, making such haphazard changes with no logging or rollback capability.
Here is /etc/openldap/slapd.conf
You cannot use TLS without the TLSCertificateFile and TLSCertificateKeyFile settings. You probably should not use both TLSCACertificatePath and TLSCACertificateFile. In general, you should not use TLSCACertificatePath; it can lead to strange out-of-resource problems at unpredictable times.
I think you need to re-read the documentation on how to use TLS.
#CBK Comment out TLSCertificateFile and TLSCertificatekeyFile here. # Also, force encryption #CBK end #TLSCertificateFile /etc/ssl/servercerts/servercert.pem TLSCACertificatePath /etc/ssl/certs/ TLSCACertificateFile /etc/ssl/certs/ldapServer.pem #TLSCertificateKeyFile /etc/ssl/servercerts/serverkey.pem TLSCiphersuite HIGH security ssf=128
#CBK added for local use on SuSE 9.3 #TLSCACertificateFile /etc/openldap/cacert.pem #TLSCACertificateKeyFile /etc/openldap/ldapServer.key
####################################################################### # bdb database definitions #######################################################################
##### # Database Configuration Parameters #####
#TLSCertificateFile /etc/openldap/servercert.pem #TLSCertificateKeyFile /etc/openldap/serverkey.pem database bdb
Here is /etc/openldap/ldap.conf
$ cat ldap.conf # # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable.
#CBK Uncommented and set BASE and URI for local environment BASE dc=blv,dc=boeing, dc=com URI ldaps://testsvr.blv.boeing.com
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_REQCERT allow #CBK Added for self-signed certificate HOST testsvr.blv.boeing.com
TLS_CACERT /etc/ssl/certs/ldapServer.pem
Here are the ldap log entries when loglevel = -1
As I've said time and time again, syslog is utterly useless for debugging. Read the docs and use *the debug flag* when chasing problems. That's what it's there for.