hi,
i hope this is the right list for my problem, if not sorry in advance.
i want to configure slapd to use tls. i have a certifikate signed by globalsign and the following lines in my slapd.conf:
<snip> TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/postfix/certs/ldap.pem TLSCertificateKeyFile /etc/postfix/certs/ldap.key TLSCACertificateFile /etc/postfix/certs/globalsign-domainssl.pem </snip>
but when issuing a ldapsearch on another machine i still get an error: <snip> # ldapsearch -bdc=xxx,dc=at -Dcn=admin,dc=xxx,dc=at -hldap.xxx.at -p389 -x -W -ZZ -d5 objectClass=* ... TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root, issuer: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed </snip>
the same globalsign-certificates work well with my apache.
any hints?
lg, Michael Fischer