The client *is* configured - (ldap.conf): .... TLS_CACERT /usr/local/etc/openldapcacert/cacert.pem TLS_REQCERT never ...
The server is configured (slapd.conf): ... TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2 TLSCACertificateFIle /usr/local/etc/openldap/cacert/cacert.pem TLSCertificateFIle /usr/local/etc/openldap/server.cert TLSCertificateKeyFIle /usr/local/etc/openldap/server.key TLSVerifyClient never .....
Attached is the output of the server - indicating that the ca is still "unknown " I've tried every combination of client/server configurations I can think of, and still get the same thing - I'm not sure what I'm missing here. Thanks Dennis (See attached file: server.out)
Howard Chu hyc@symas.com Sent by: To owner-openldap-so Dennis.Hoffman@seagate.com ftware@OpenLDAP.o cc rg openldap-software@OpenLDAP.org No Phone Info Subject Available Re: TLS question
09/29/2006 08:24 PM
Dennis.Hoffman@seagate.com wrote:
Hello:
I am trying to get TLS working on openldap-2.3.20. when I initiate
a
search, the debug info at the server indicates "unknown_ca". According
to
RFC 2246, this means that the "CA certificate could not be located or couldn't be matched with a known, trusted CA". My question: Isn't the slapd.conf "TLSCACertificateFile" directive what tells slapd which CA to trust? If so, why isn't it working?
See the Admin Guide http://www.openldap.org/doc/admin23/tls.html
You need to configure the client.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
Get a debug log on the client. Most likely you didn't set the ldap.conf file that the client is actually using.
Note that getting the debug log on the server is not all that useful here since it is *receiving* an "unknown CA" alert from the client; it is the client that's complaining, not the server.
Dennis.Hoffman@seagate.com wrote:
The client *is* configured - (ldap.conf): .... TLS_CACERT /usr/local/etc/openldapcacert/cacert.pem TLS_REQCERT never ...
The server is configured (slapd.conf): ... TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2 TLSCACertificateFIle /usr/local/etc/openldap/cacert/cacert.pem TLSCertificateFIle /usr/local/etc/openldap/server.cert TLSCertificateKeyFIle /usr/local/etc/openldap/server.key TLSVerifyClient never .....
Attached is the output of the server - indicating that the ca is still "unknown " I've tried every combination of client/server configurations I can think of, and still get the same thing - I'm not sure what I'm missing here. Thanks Dennis (See attached file: server.out)
Howard Chu <hyc@symas.com> Sent by: To owner-openldap-so Dennis.Hoffman@seagate.com ftware@OpenLDAP.o cc rg openldap-software@OpenLDAP.org No Phone Info Subject Available Re: TLS question 09/29/2006 08:24 PMDennis.Hoffman@seagate.com wrote:
Hello:
I am trying to get TLS working on openldap-2.3.20. when I initiatea
search, the debug info at the server indicates "unknown_ca". According
to
RFC 2246, this means that the "CA certificate could not be located or couldn't be matched with a known, trusted CA". My question: Isn't the slapd.conf "TLSCACertificateFile" directive what tells slapd which CA to trust? If so, why isn't it working?
See the Admin Guide http://www.openldap.org/doc/admin23/tls.html
You need to configure the client.
Hello list, I am working on a distributied tree with open ldap.(2-2-23 on sarge) my DIT is fragmented in several pieces. (up to 50...) that I want to replicate on the master tree. I tried to used the syncrepl directive, which look great (first look.) So, after a short while I was able to get shadow copie of one fragment. Right after I tried to replicate the second fragment and problems arrived... I cant' put two syncrepl directive in the consummers ldap! So, is there a solution? a way to get several piece of a tree replicate with syncrepl? If no, another solution would be fair!
Cheers Sebastien
Dennis.Hoffman@seagate.com a écrit :
The client *is* configured - (ldap.conf): .... TLS_CACERT /usr/local/etc/openldapcacert/cacert.pem TLS_REQCERT never ...
The server is configured (slapd.conf): ... TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2 TLSCACertificateFIle /usr/local/etc/openldap/cacert/cacert.pem TLSCertificateFIle /usr/local/etc/openldap/server.cert TLSCertificateKeyFIle /usr/local/etc/openldap/server.key TLSVerifyClient never .....
Attached is the output of the server - indicating that the ca is still "unknown " I've tried every combination of client/server configurations I can think of, and still get the same thing - I'm not sure what I'm missing here. Thanks Dennis (See attached file: server.out)
Howard Chu <hyc@symas.com> Sent by: To owner-openldap-so Dennis.Hoffman@seagate.com ftware@OpenLDAP.o cc rg openldap-software@OpenLDAP.org No Phone Info Subject Available Re: TLS question 09/29/2006 08:24 PMDennis.Hoffman@seagate.com wrote:
Hello:
I am trying to get TLS working on openldap-2.3.20. when I initiatea
search, the debug info at the server indicates "unknown_ca". According
to
RFC 2246, this means that the "CA certificate could not be located or couldn't be matched with a known, trusted CA". My question: Isn't the slapd.conf "TLSCACertificateFile" directive what tells slapd which CA to trust? If so, why isn't it working?
See the Admin Guide http://www.openldap.org/doc/admin23/tls.html
You need to configure the client.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.407 / Virus Database: 268.12.11/460 - Release Date: 01/10/2006
openldap-software@openldap.org
-
Dennis.Hoffman@seagate.com -
Howard Chu -
sebastien Prouff