Am Donnerstag, 9. Juli 2009 schrieb Rick Stevens:
I know this has been hashed over before, but I simply cannot get my LDAP clients to talk TLS/SSL to my LDAP server. I keep getting
TLS certificate verification: Error, self signed certificate in certificate chain
errors. A standard "openssl s_client" test works fine, but a client such as ldapsearch simply refuses to cooperate. I have the "tls_cacertdir" set to point at a directory that has a copy of every certificate I've created and it still won't work.
The certificates were created based on the instructions at:
http://www.openldap.org/faq/data/cache/185.html
as specified in the admin manual. I'm the first to admin I'm not an SSL guy, but this has got me stumped! I'll be happy to provide whatever bits of the various config files you need.
So, you have created your certs with openssl. Are your ldap binaries linked against openssl or gnutls libraries?
ldd $(which ldapsearch) libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7e34000)
This openldap installation is linked against gnutls!
If your openldap installation also uses gnutls, then you MUST reorder the certificates.
Openssl certs begins with the top-level cert (normaly the ca), gnutls certs ends with the ca-cert :-( .
Help me Obi-Wan Kenobi!
- Rick Stevens, Unix Geek rps2@socal.rr.com
- Treat each day as if it's your last...a lot of crying and
whining - - usually gets you what you want! -- Sam Sledge -