--On November 19, 2007 5:34:14 PM -0800 "Keagle, Chuck" chuck.keagle@boeing.com wrote:
System in SLES 9.3 running openldap 2.3.39
I tried to create the x509 hash and it still failed the same way.
Here are the entries in slapd.conf (all in global section):
TLSCertificateFile /etc/ssl/servercerts/servercert.pem TLSCertificateKeyFile /etc/ssl/servercerts/serverkey.pem TLSCACertificatePath /etc/ssl/certs/ TLSCACertificateFile /etc/openldap/ldapServer.crt TLSCACertificateKeyFile /etc/openldap/ldapServer.key
Pick one, or the other, format. Do not use both. I suggest the TLSCACertificatePath method with a hash. It is the only thing that has worked consistently for me (appears to be an openssl issue).
It fails exactly the same way:
# ldapsearch -x -Z -H ldap://testsvr.blv.boeing.com -b "" -s base
'objectclass=*' '+' '*' ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ldap_result: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Did you ever set up ldap.conf/.ldaprc as I noted, with the pointers to the CA cert and hash, as I noted was required? Also, the pem file for the CA cert does not need to contain the key. Probably better for it not to, really.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration