/etc/ldap.conf is used by nss tools and the ilk.

/etc/openldap/ldap.conf would be used by openldap tools - like ldapsearch.

I have the same setting there for tls_checkpeer - but in the latter ldap.conf (under openldap).

FWIW: there's apparently no real different format for the two files; while one would only be setup on ldap servers, mine are identical and things work with a mirror master, both setup behind a VIP (fail over, not load balanced) and a plethora of slaves in different subdomains.

- chris

PS: I'd forgotten to 'reply-to-all' earlier. :)

Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs@apollogrp.edu


From: Lynn York
To: Chris Jacobs
Sent: Mon Apr 12 10:29:19 2010
Subject: RE: Problem with SSL/TLS

Here is my /etc/ldap.conf:

 

#host 127.0.0.1

base cn=users,dc=testing,dc=com

uri ldap://localhost:636

binddn cn=manager,dc=testing,dc=com

bindpw password

scope sub

timelimit 120

bind_policy soft

bind_timelimit 120

idle_timelimit 3600

ssl on

tls_cacert /etc/openldap/cacerts/servercrt.pem

tls_cacertdir /etc/openldap/cacerts

tls_checkpeer no

nss_base_group          cn=groups,dc=testing,dc=com?sub

pam_password md5

 

I have tried it with and without “tls_checkpeer”….   I am sort of at a loss as to what it can be.  I also tested it using openssl  client.. and here is the output:

 

CONNECTED(00000003)

SSL_connect:before/connect initialization

SSL_connect:SSLv2/v3 write client hello A

SSL_connect:SSLv3 read server hello A

depth=1 /C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com

verify return:1

depth=0 /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com

verify return:1

SSL_connect:SSLv3 read server certificate A

SSL_connect:SSLv3 read server certificate request A

SSL_connect:SSLv3 read server done A

SSL_connect:SSLv3 write client certificate A

SSL_connect:SSLv3 write client key exchange A

SSL_connect:SSLv3 write certificate verify A

SSL_connect:SSLv3 write change cipher spec A

SSL_connect:SSLv3 write finished A

SSL_connect:SSLv3 flush data

SSL_connect:SSLv3 read finished A

---

Certificate chain

 0 s:/C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com

   i:/C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com

-----BEGIN CERTIFICATE-----

MIIDPzCCAqigAwIBAgIBATANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx

FTATBgNVBAgTDFBlbm5zeWx2YW5pYTEXMBUGA1UEChMOTWF2ZW5XaXJlLCBMTEMx

EDAOBgNVBAsTB1N1cHBvcnQxFjAUBgNVBAMTDW1hdmVud2lyZS5jb20xMDAuBgkq

hkiG9w0BCQEWIW13LWhvc3Rpbmctc3lzYWRtaW5AbWF2ZW53aXJlLmNvbTAeFw0x

MDA0MDkyMDUwNDlaFw0xMTA0MDkyMDUwNDlaMIGzMQswCQYDVQQGEwJVUzEVMBMG

A1UECBMMUGVubnN5bHZhbmlhMRgwFgYDVQQHEw9LaW5nIG9mIFBydXNzaWExFzAV

BgNVBAoTDk1hdmVuV2lyZSwgTExDMRAwDgYDVQQLEwdTdXBwb3J0MRYwFAYDVQQD

Ew1tYXZlbndpcmUuY29tMTAwLgYJKoZIhvcNAQkBFiFtdy1ob3N0aW5nLXN5c2Fk

bWluQG1hdmVud2lyZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMGp

U5HS8A2DRokU5TQz1Dyycx/VA2uhrRwatTPq8xtoQigWM2feiXUwtoiQ/gP3IjB5

AJLf8aC8y72Io2IME4aqh1s7bdscV2b0QMs1MfXiL9h2XQWZVCkgDLjjb1XzHhlw

3I6vkrh/uGH2PQyXbuG/6dIguzCHfnGgGXgy1o45AgMBAAGjezB5MAkGA1UdEwQC

MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl

MB0GA1UdDgQWBBR0mZkOwZZjYFiWlloEvgSpoPxOuzAfBgNVHSMEGDAWgBS7Iqbt

j25p56k4BdHpXYG3xjhdijANBgkqhkiG9w0BAQUFAAOBgQARO7OcDgNOZ3WuP9IM

mUeQWuGVBAh7MQ3Uv2HrSOAfTHxg/QxjCZZlwULq1EZZDHNgyPMM+5ElWSID5El/

fdxHcizNOjPPuVPwtJIrs8RhTIehn0aKryqtkvpcAnxFuc+VxwcCBhV58wtbSuXL

PXRTvoTDXWkiXwdR4m1bubOF5A==

-----END CERTIFICATE-----

 1 s:/C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com

   i:/C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com

-----BEGIN CERTIFICATE-----

MIIDJTCCAo6gAwIBAgIBADANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx

FTATBgNVBAgTDFBlbm5zeWx2YW5pYTEXMBUGA1UEChMOTWF2ZW5XaXJlLCBMTEMx

EDAOBgNVBAsTB1N1cHBvcnQxFjAUBgNVBAMTDW1hdmVud2lyZS5jb20xMDAuBgkq

hkiG9w0BCQEWIW13LWhvc3Rpbmctc3lzYWRtaW5AbWF2ZW53aXJlLmNvbTAeFw0x

MDA0MDkyMDUwMDBaFw0xMzA0MDgyMDUwMDBaMIGZMQswCQYDVQQGEwJVUzEVMBMG

A1UECBMMUGVubnN5bHZhbmlhMRcwFQYDVQQKEw5NYXZlbldpcmUsIExMQzEQMA4G

A1UECxMHU3VwcG9ydDEWMBQGA1UEAxMNbWF2ZW53aXJlLmNvbTEwMC4GCSqGSIb3

DQEJARYhbXctaG9zdGluZy1zeXNhZG1pbkBtYXZlbndpcmUuY29tMIGfMA0GCSqG

SIb3DQEBAQUAA4GNADCBiQKBgQC6yVPz1ccamBapkRR8vTjpiKj7JuJKdCecTQ7/

f2KWoIRuYdEWU4njEsu/KHQWmxR0lelqOzM15EHVanOJCsPKCEMQg4lY5cQm8W1Q

YCGQyqg0ITQ6nbPuQchFHHnldqYZsfiWjly8SC454B61ItHi9Lcxvfh4cVonSCqw

KeoF4wIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM

IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUuyKm7Y9uaeepOAXR6V2B

t8Y4XYowHwYDVR0jBBgwFoAUuyKm7Y9uaeepOAXR6V2Bt8Y4XYowDQYJKoZIhvcN

AQEFBQADgYEAg5xdwSmeF2afO1UJZys5Mmvn7YfUdOIRgVaYN5sQLt1ixCXjDEew

56br5RKs2W6PaqeXl7CN5bYqxDDo3ekds9uquzE91HaKH04gQUc+/NA82y5NiaGZ

EOiLoTvc/+PShAjl8ZVwf+eNloay2FChb6S47rX0f28tKXpteWax00k=

-----END CERTIFICATE-----

---

Server certificate

subject=/C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com

issuer=/C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com

---

Acceptable client certificate CA names

/C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com

/C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com

---

SSL handshake has read 2160 bytes and written 2117 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 1024 bit

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : AES256-SHA

    Session-ID: 7475F12DDB7A8CAE5047244136B5CDBD877D9C71E72B7DE379FEEC681ECA635C

    Session-ID-ctx:

    Master-Key: 5253A27AAB6096A906DD64C1565110582414DE0B24543D7275D267235BDF06F75EA1E745323E6E34420D90613AD74BF7

    Key-Arg   : None

    Krb5 Principal: None

    Start Time: 1271093212

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

 

 

That all appears to be OK… which is confusing to me as to why it won’t work?

 

From: Chris Jacobs [mailto:Chris.Jacobs@apollogrp.edu]
Sent: Monday, April 12, 2010 12:30 PM
To: 'lynn.york@mavenwire.com'
Subject: Re: Problem with SSL/TLS

 

Did you setup the CA's cert as a trusted CA on your clients?

There is also a setting to skip verifying the cert for /etc/openldap/ldap.conf - but I can't recall atm.

- chris

Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs@apollogrp.edu


From: openldap-technical-bounces+chris.jacobs=apollogrp.edu@OpenLDAP.org
To: openldap-technical@openldap.org
Sent: Mon Apr 12 08:13:39 2010
Subject: Problem with SSL/TLS

I have created a cert. on the server and openldap starts without any issues, however when I attempt to connect via ldaps I keep getting the following error:

??

??

ldapsearch -x -H ldaps://localhost:636 -D "cn=Manager,dc=testing,dc=com" -W -b "dc=testing,dc=com" "(objectClass=top)"

Enter LDAP Password:

ldap_bind: Can't contact LDAP server (-1)

?????????????? additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

??

I can???t quite pin point what the problem might be.??

??

Lynn York II

MavenWire Hosting Admin

www.mavenwire.com

(866) 343-4870 x717

??

MavenWire - We DELIVER

http://www.mavenwire.com

??

This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient.?? Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message.?? Please contact the sender by reply e-mail and delete all copies of this message.

??

MavenWire - We DELIVER
http://www.mavenwire.com
 
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient.  Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message.  Please contact the sender by reply e-mail and delete all copies of this message.
 

 


This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

MavenWire - We DELIVER
http://www.mavenwire.com

This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient.  Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message.  Please contact the sender by reply e-mail and delete all copies of this message.



This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.