Hi Daisy,
-- create an environment variable LDAPCONF <DAISY>: Question, what value is this environment variable set to? Does OpenSSL or OpenLDAP use this env variable?
You should set the environment variable LDAPCONF to the location of your ldap configuration file. In my case, I called
the file ldap_ssl_cert_config and I placed it in my home directory. So you would then run:
export LDAPCONF = /home/ven/ldap_ssl_cert_config
Alternately, you could also have a .ldaprc file in your home directory instead of setting this variable.
-- create a file called ldap_ssl_cert_config and placed the following line in it: TLS_CACERTDIR /etc/pki/tls <DAISY>: Question, in what directory should I create this file? How is this file “ldap_ssl_cert_config” file used? How does OpenLDAP client know what file to look for, in which directory?
Sorry, I should have explained this better. The environment variable LDAPCONF must point to the location of this file as shown above.
Create it in any text editor and place the line TLS_CACERTDIR <path to root cert bundle> within this file. The OpenLDAP libraries will either look for the environment variable LDAPCONF or for a .ldaprc file in your home directory.
And /etc/pki/tls does not exist in my file system. What is this “/etc/pki/tls” anyway?
TLS_CACERTDIR specifies the location of the SSL certificates root bundle of your OpenSSL installation. In Red Hat Enterprise Linux,
this bundle is located in /etc/pki/tls. What OS are you using? It will depend on that and your OpenSSL installation. Also, see this for more detailed info: http://linux.die.net/man/5/ldap.conf
cheers,
Ven
From: Mahadevan, Venkatasubramanian [mailto:Venkatasubramanian.Mahadevan@ubc.ca] Sent: Tuesday, August 30, 2011 6:25 PM To: Wu, Daisy; openldap-technical@openldap.org Subject: RE: OpenLDAP client test program connecting to LDAP server over SSL failed
It failed because of this error: ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Hi Daisy,
I have noticed that sometimes depending on the version of OpenSSL you are linking the LDAP libraries to, it will throw this error. So what I did was: -- create an environment variable LDAPCONF -- create a file called ldap_ssl_cert_config and placed the following line in it: TLS_CACERTDIR /etc/pki/tls -- ran my program
Then it worked and I did not get the error anymore. Hope this helps.
cheers,
Ven