Chuck Theobald wrote:
Built openldap 2.4.40 from source, trying to replicate the directory structure used by RHEL, but using openssl instead of nss. Various dir-placement options to configure got me to a standard RHEL (and typical Linux) structure.
I am now trying to start using the /etc/init.d/slapd script from a mostly-working (sans TLS) RHEL installation, but startup fails. Silently. This may be because slapd cannot read the private server key file, but should this not be read before changing the effective running user to ldap? I would like my slapd to be running as something other than user 0.
Anyway, I managed to prop up a server from the command line:
slapd -F ./slapd.d
but now cannot talk to it with TLS enabled:
TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 3, err: 19, subject: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain). ldap_err2string ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain) Enter LDAP Password:
The server cert and ca certs I am using are not self-signed, at least by me, and were obtained through Internet2 via our University's central IS department. The same certs are working fine with the web server on my machine. I think the key clue is the "unknown CA" in the messages above.
But, how to solve?
You need to configure your LDAP client to trust that particular CA.