I've run into an interesting issue where if I set up a .ldaprc for the user running slapd with:
BASE "" TLS_CACERT /opt/zimbra/conf/ca/ca.pem
slapd will fail to start with:
TLS: could not load client CA list (file:`/opt/zimbra/conf/ca/ca.pem',dir:`'). TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:642
It is not an issue with being able to read the cert as:
cat /opt/zimbra/conf/ca/ca.pem -----BEGIN TRUSTED CERTIFICATE----- ..... -----END TRUSTED CERTIFICATE-----
works just fine. If I change it to TLSCACERTDIR and adjust to a path, then slapd starts just fine, but I can't negotiate STARTTLS for the same reason.
Using openssl to verify the slapd cert (which is signed by this CA) shows everything is correct, as well:
/usr/bin/openssl verify -CAfile /opt/zimbra/conf/ca/ca.pem -purpose sslclient /opt/zimbra/conf/slapd.crt /opt/zimbra/conf/slapd.crt: OK
I'm not really sure why defining a CA cert for the client to use stops slapd from working, either. Seems rather odd to me.
Thoughts appreciated. ;)
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration