Make sure your client has the CA certificate. Check your /etc/ openldap/ldap.conf configuration.
man ldap.conf on an openldap system and check the TLS OPTIONS section and see if you have the settings required to name the certs. The error is on your client, not the server.
Sellers
On Sep 12, 2008, at 7:21 AM, Michael Fischer wrote:
hi,
i hope this is the right list for my problem, if not sorry in advance.
i want to configure slapd to use tls. i have a certifikate signed by globalsign and the following lines in my slapd.conf:
<snip> TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/postfix/certs/ldap.pem TLSCertificateKeyFile /etc/postfix/certs/ldap.key TLSCACertificateFile /etc/postfix/certs/globalsign-domainssl.pem </snip>
but when issuing a ldapsearch on another machine i still get an error:
<snip> # ldapsearch -bdc=xxx,dc=at -Dcn=admin,dc=xxx,dc=at -hldap.xxx.at - p389 -x -W -ZZ -d5 objectClass=* ... TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root, issuer: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed </snip>
the same globalsign-certificates work well with my apache.
any hints?
lg, Michael Fischer
email: michi.fischer@gmx.net web: http://www.webfischer.at
++++++++++++++++++++++++++++++++++++++ Chris G. Sellers | Internet Engineer | NITLE 734.661.2318 | chris.sellers@nitle.org Jabber: csellers@nitle.org | AIM: imthewherd