On Wed, 21 Nov 2007, Keagle, Chuck wrote:
I have yet to even change the error messages when trying:
# ldapsearch -x -Z -H ldap://testsvr.blv.boeing.com -b "" -s base 'objectclass=*' '+' '*' ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Looks to me like slapd is sending its cert, but either 1) it doesn't match the hostname in the URI (testsvr.blv.boeing.com), or 2) none of the CAs 'above' it are in the set of CAs trusted to ldapsearch.
So, what's the output of openssl x509 -text -noout -in /path/to/servers/cert/here.pem
? Does it show testsvr.blv.boeing.com either as a DNS X509v3 Subject Alternative Name or as the value of a CN attribute in the cert's subject? If not, there's (part of) your problem, as your cert MUST match the name in the URI used to locate the server. If that wasn't true, TLS/SSL would be easily attackable and therefore pointless.
...
#TLSCertificateFile /etc/ssl/servercerts/servercert.pem TLSCACertificatePath /etc/ssl/certs/ TLSCACertificateFile /etc/ssl/certs/ldapServer.pem #TLSCertificateKeyFile /etc/ssl/servercerts/serverkey.pem
Wait, so you're running the server without certificate or key files? How do you think that can possibly work?
...
##### # Database Configuration Parameters #####
#TLSCertificateFile /etc/openldap/servercert.pem #TLSCertificateKeyFile /etc/openldap/serverkey.pem
Another pair of these? What are they doing in the database config part of your slapd.conf? Don't you keep the directives grouped by function?
...
Here is /etc/openldap/ldap.conf
...
TLS_REQCERT allow #CBK Added for self-signed certificate
Well, this means that item #2 above (checking of CAs) can't be the issue, because the 'allow' setting bypasses that check.
(...rendering the TLS negotiation subject to an easy Man-in-the-Middle attack, of course...)
HOST testsvr.blv.boeing.com
Don't set this. The HOST and PORT settings should never be used. Indeed, this conflicts with the URI setting you also put in the file!
TLS_CACERT /etc/ssl/certs/ldapServer.pem
If that file is the server's self-signed cert, then you should not need the TLS_REQCERT option.
Philip Guenther