hi,
i hope this is the right list for my problem, if not sorry in advance.
i want to configure slapd to use tls. i have a certifikate signed by globalsign and the following lines in my slapd.conf:
<snip> TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/postfix/certs/ldap.pem TLSCertificateKeyFile /etc/postfix/certs/ldap.key TLSCACertificateFile /etc/postfix/certs/globalsign-domainssl.pem </snip>
but when issuing a ldapsearch on another machine i still get an error: <snip> # ldapsearch -bdc=xxx,dc=at -Dcn=admin,dc=xxx,dc=at -hldap.xxx.at -p389 -x -W -ZZ -d5 objectClass=* ... TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root, issuer: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed </snip>
the same globalsign-certificates work well with my apache.
any hints?
lg, Michael Fischer
Make sure your client has the CA certificate. Check your /etc/ openldap/ldap.conf configuration.
man ldap.conf on an openldap system and check the TLS OPTIONS section and see if you have the settings required to name the certs. The error is on your client, not the server.
Sellers
On Sep 12, 2008, at 7:21 AM, Michael Fischer wrote:
hi,
i hope this is the right list for my problem, if not sorry in advance.
i want to configure slapd to use tls. i have a certifikate signed by globalsign and the following lines in my slapd.conf:
<snip> TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/postfix/certs/ldap.pem TLSCertificateKeyFile /etc/postfix/certs/ldap.key TLSCACertificateFile /etc/postfix/certs/globalsign-domainssl.pem </snip>
but when issuing a ldapsearch on another machine i still get an error:
<snip> # ldapsearch -bdc=xxx,dc=at -Dcn=admin,dc=xxx,dc=at -hldap.xxx.at - p389 -x -W -ZZ -d5 objectClass=* ... TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root, issuer: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed </snip>
the same globalsign-certificates work well with my apache.
any hints?
lg, Michael Fischer
email: michi.fischer@gmx.net web: http://www.webfischer.at
++++++++++++++++++++++++++++++++++++++ Chris G. Sellers | Internet Engineer | NITLE 734.661.2318 | chris.sellers@nitle.org Jabber: csellers@nitle.org | AIM: imthewherd
Michael Fischer michi.fischer@gmx.net writes:
hi,
i hope this is the right list for my problem, if not sorry in advance.
i want to configure slapd to use tls. i have a certifikate signed by globalsign and the following lines in my slapd.conf:
[...]
TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root, issuer: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA
The ldap client has no knowledge of the CA, edit ldap.conf(5) or .ldaprc appropriately.
-Dieter
Please check your ldap server. How it was started? Check the port number. port must be 636. Your apache might have the root-CA certificate which is validating your globalsign-domainssl.pem.
May be your client is failing to get the entire chain of certificates. Make sure that /etc/openldap/ldap.conf has the TLS_CACERTDIR clause where all the certificates are present. Use certificate-rehash utility to hash the certificates in the cert-directory.
I used to start my server using command /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h ldaps:/// &
And to search the user I use ldapsearch -x -H ldaps://ldapserverFQDN:636 -b "dc=my-domain,dc=com" "(&(uid=testadmin1)(objectClass=inetOrgPerson))"
Thanks, Digambar Yashwant Sawant
On Fri, Sep 12, 2008 at 4:51 PM, Michael Fischer michi.fischer@gmx.netwrote:
hi,
i hope this is the right list for my problem, if not sorry in advance.
i want to configure slapd to use tls. i have a certifikate signed by globalsign and the following lines in my slapd.conf:
<snip> TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/postfix/certs/ldap.pem TLSCertificateKeyFile /etc/postfix/certs/ldap.key TLSCACertificateFile /etc/postfix/certs/globalsign-domainssl.pem </snip>
but when issuing a ldapsearch on another machine i still get an error:
<snip> # ldapsearch -bdc=xxx,dc=at -Dcn=admin,dc=xxx,dc=at -hldap.xxx.at -p389 -x -W -ZZ -d5 objectClass=* ... TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root, issuer: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed </snip>
the same globalsign-certificates work well with my apache.
any hints?
lg, Michael Fischer
email: michi.fischer@gmx.net web: http://www.webfischer.at
TLS does not require port 636. Port 636 is the default port for SSL, not TLS. TLS can operate on the standard port 389 or any port you listen on. His problem appears to be related to the client, not the server. The client does not know where to find the CA to validate the cert. Dieter already answered the question. Sellers
On Sep 16, 2008, at 8:35 AM, Digambar Sawant wrote:
Please check your ldap server. How it was started? Check the port number. port must be 636.
email: michi.fischer@gmx.net web: http://www.webfischer.at
++++++++++++++++++++++++++++++++++++++ Chris G. Sellers | Internet Engineer | NITLE 734.661.2318 | chris.sellers@nitle.org Jabber: csellers@nitle.org | AIM: imthewherd
openldap-software@openldap.org
-
Chris G. Sellers -
Dieter Kluenter -
Digambar Sawant -
Michael Fischer