4:21 a.m.
hi,
i hope this is the right list for my problem, if not sorry in advance.
i want to configure slapd to use tls. i have a certifikate signed by
globalsign and the following lines in my slapd.conf:
<snip>
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/postfix/certs/ldap.pem
TLSCertificateKeyFile /etc/postfix/certs/ldap.key
TLSCACertificateFile /etc/postfix/certs/globalsign-domainssl.pem
</snip>
but when issuing a ldapsearch on another machine i still get an error:
<snip>
# ldapsearch -bdc=xxx,dc=at -Dcn=admin,dc=xxx,dc=at -hldap.xxx.at -p389
-x -W -ZZ -d5 objectClass=*
...
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=GTE
Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global
Root, issuer: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions,
Inc./CN=GTE CyberTrust Global Root
TLS certificate verification: Error, self signed certificate in
certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
</snip>
the same globalsign-certificates work well with my apache.
any hints?
lg, Michael Fischer
--
email: michi.fischer(a)gmx.net
web: http://www.webfischer.at
8:03 a.m.
Make sure your client has the CA certificate. Check your /etc/
openldap/ldap.conf configuration.
man ldap.conf on an openldap system and check the TLS OPTIONS section
and see if you have the settings required to name the certs. The
error is on your client, not the server.
Sellers
On Sep 12, 2008, at 7:21 AM, Michael Fischer wrote:
hi,
i hope this is the right list for my problem, if not sorry in advance.
i want to configure slapd to use tls. i have a certifikate signed by
globalsign and the following lines in my slapd.conf:
<snip>
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/postfix/certs/ldap.pem
TLSCertificateKeyFile /etc/postfix/certs/ldap.key
TLSCACertificateFile /etc/postfix/certs/globalsign-domainssl.pem
</snip>
but when issuing a ldapsearch on another machine i still get an error:
<snip>
# ldapsearch -bdc=xxx,dc=at -Dcn=admin,dc=xxx,dc=at -hldap.xxx.at -
p389
-x -W -ZZ -d5 objectClass=*
...
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=GTE
Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global
Root, issuer: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions,
Inc./CN=GTE CyberTrust Global Root
TLS certificate verification: Error, self signed certificate in
certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
</snip>
the same globalsign-certificates work well with my apache.
any hints?
lg, Michael Fischer
--
email: michi.fischer(a)gmx.net
web: http://www.webfischer.at
++++++++++++++++++++++++++++++++++++++
Chris G. Sellers | Internet Engineer | NITLE
734.661.2318 | chris.sellers(a)nitle.org
Jabber: csellers(a)nitle.org | AIM: imthewherd
8:09 a.m.
Michael Fischer <michi.fischer(a)gmx.net> writes:
hi,
i hope this is the right list for my problem, if not sorry in advance.
i want to configure slapd to use tls. i have a certifikate signed by
globalsign and the following lines in my slapd.conf:
[...]
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=GTE
Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global
Root, issuer: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions,
Inc./CN=GTE CyberTrust Global Root
TLS certificate verification: Error, self signed certificate in
certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
The ldap client has no knowledge of the CA, edit ldap.conf(5) or .ldaprc
appropriately.
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E
5:35 a.m.
Please check your ldap server.
How it was started? Check the port number. port must be 636.
Your apache might have the root-CA certificate which is validating your
globalsign-domainssl.pem.
May be your client is failing to get the entire chain of certificates.
Make sure that /etc/openldap/ldap.conf has the TLS_CACERTDIR clause where
all the certificates are present.
Use certificate-rehash utility to hash the certificates in the
cert-directory.
I used to start my server using command
/usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h ldaps:/// &
And to search the user I use
ldapsearch -x -H ldaps://ldapserverFQDN:636 -b "dc=my-domain,dc=com"
"(&(uid=testadmin1)(objectClass=inetOrgPerson))"
Thanks,
Digambar Yashwant Sawant
On Fri, Sep 12, 2008 at 4:51 PM, Michael Fischer <michi.fischer(a)gmx.net>wrote:
hi,
i hope this is the right list for my problem, if not sorry in advance.
i want to configure slapd to use tls. i have a certifikate signed by
globalsign and the following lines in my slapd.conf:
<snip>
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/postfix/certs/ldap.pem
TLSCertificateKeyFile /etc/postfix/certs/ldap.key
TLSCACertificateFile /etc/postfix/certs/globalsign-domainssl.pem
</snip>
but when issuing a ldapsearch on another machine i still get an error:
<snip>
# ldapsearch -bdc=xxx,dc=at -Dcn=admin,dc=xxx,dc=at -hldap.xxx.at -p389
-x -W -ZZ -d5 objectClass=*
...
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=GTE
Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global
Root, issuer: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions,
Inc./CN=GTE CyberTrust Global Root
TLS certificate verification: Error, self signed certificate in
certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
</snip>
the same globalsign-certificates work well with my apache.
any hints?
lg, Michael Fischer
--
email: michi.fischer(a)gmx.net
web: http://www.webfischer.at
1:03 p.m.
TLS does not require port 636. Port 636 is the default port for SSL,
not TLS. TLS can operate on the standard port 389 or any port you
listen on.
His problem appears to be related to the client, not the server. The
client does not know where to find the CA to validate the cert.
Dieter already answered the question.
Sellers
On Sep 16, 2008, at 8:35 AM, Digambar Sawant wrote:
Please check your ldap server.
How it was started? Check the port number. port must be 636.
email: michi.fischer(a)gmx.net
web: http://www.webfischer.at
++++++++++++++++++++++++++++++++++++++
Chris G. Sellers | Internet Engineer | NITLE
734.661.2318 | chris.sellers(a)nitle.org
Jabber: csellers(a)nitle.org | AIM: imthewherd
4829
days inactive
4833
days old
openldap-software@openldap.org
4 comments
4 participants
participants (4)
-
Chris G. Sellers -
Dieter Kluenter -
Digambar Sawant -
Michael Fischer