/etc/ldap.conf is used by nss tools and the ilk.
/etc/openldap/ldap.conf would be used by openldap tools - like ldapsearch.
I have the same setting there for tls_checkpeer - but in the latter ldap.conf (under openldap).
FWIW: there's apparently no real different format for the two files; while one would only be setup on ldap servers, mine are identical and things work with a mirror master, both setup behind a VIP (fail over, not load balanced) and a plethora of slaves in different
subdomains.
- chris
PS: I'd forgotten to 'reply-to-all' earlier. :)
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs@apollogrp.edu
Here is my /etc/ldap.conf:
#host 127.0.0.1
base cn=users,dc=testing,dc=com
uri ldap://localhost:636
binddn cn=manager,dc=testing,dc=com
bindpw password
scope sub
timelimit 120
bind_policy soft
bind_timelimit 120
idle_timelimit 3600
ssl on
tls_cacert /etc/openldap/cacerts/servercrt.pem
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer no
nss_base_group cn=groups,dc=testing,dc=com?sub
pam_password md5
I have tried it with and without “tls_checkpeer”…. I am sort of at a loss as to what it can be. I also tested it using openssl client.. and here is the output:
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com
verify return:1
depth=0 /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com
i:/C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com
-----BEGIN CERTIFICATE-----
MIIDPzCCAqigAwIBAgIBATANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx
FTATBgNVBAgTDFBlbm5zeWx2YW5pYTEXMBUGA1UEChMOTWF2ZW5XaXJlLCBMTEMx
EDAOBgNVBAsTB1N1cHBvcnQxFjAUBgNVBAMTDW1hdmVud2lyZS5jb20xMDAuBgkq
hkiG9w0BCQEWIW13LWhvc3Rpbmctc3lzYWRtaW5AbWF2ZW53aXJlLmNvbTAeFw0x
MDA0MDkyMDUwNDlaFw0xMTA0MDkyMDUwNDlaMIGzMQswCQYDVQQGEwJVUzEVMBMG
A1UECBMMUGVubnN5bHZhbmlhMRgwFgYDVQQHEw9LaW5nIG9mIFBydXNzaWExFzAV
BgNVBAoTDk1hdmVuV2lyZSwgTExDMRAwDgYDVQQLEwdTdXBwb3J0MRYwFAYDVQQD
Ew1tYXZlbndpcmUuY29tMTAwLgYJKoZIhvcNAQkBFiFtdy1ob3N0aW5nLXN5c2Fk
bWluQG1hdmVud2lyZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMGp
U5HS8A2DRokU5TQz1Dyycx/VA2uhrRwatTPq8xtoQigWM2feiXUwtoiQ/gP3IjB5
AJLf8aC8y72Io2IME4aqh1s7bdscV2b0QMs1MfXiL9h2XQWZVCkgDLjjb1XzHhlw
3I6vkrh/uGH2PQyXbuG/6dIguzCHfnGgGXgy1o45AgMBAAGjezB5MAkGA1UdEwQC
MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl
MB0GA1UdDgQWBBR0mZkOwZZjYFiWlloEvgSpoPxOuzAfBgNVHSMEGDAWgBS7Iqbt
j25p56k4BdHpXYG3xjhdijANBgkqhkiG9w0BAQUFAAOBgQARO7OcDgNOZ3WuP9IM
mUeQWuGVBAh7MQ3Uv2HrSOAfTHxg/QxjCZZlwULq1EZZDHNgyPMM+5ElWSID5El/
fdxHcizNOjPPuVPwtJIrs8RhTIehn0aKryqtkvpcAnxFuc+VxwcCBhV58wtbSuXL
PXRTvoTDXWkiXwdR4m1bubOF5A==
-----END CERTIFICATE-----
1 s:/C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com
i:/C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com
-----BEGIN CERTIFICATE-----
MIIDJTCCAo6gAwIBAgIBADANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx
FTATBgNVBAgTDFBlbm5zeWx2YW5pYTEXMBUGA1UEChMOTWF2ZW5XaXJlLCBMTEMx
EDAOBgNVBAsTB1N1cHBvcnQxFjAUBgNVBAMTDW1hdmVud2lyZS5jb20xMDAuBgkq
hkiG9w0BCQEWIW13LWhvc3Rpbmctc3lzYWRtaW5AbWF2ZW53aXJlLmNvbTAeFw0x
MDA0MDkyMDUwMDBaFw0xMzA0MDgyMDUwMDBaMIGZMQswCQYDVQQGEwJVUzEVMBMG
A1UECBMMUGVubnN5bHZhbmlhMRcwFQYDVQQKEw5NYXZlbldpcmUsIExMQzEQMA4G
A1UECxMHU3VwcG9ydDEWMBQGA1UEAxMNbWF2ZW53aXJlLmNvbTEwMC4GCSqGSIb3
DQEJARYhbXctaG9zdGluZy1zeXNhZG1pbkBtYXZlbndpcmUuY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQC6yVPz1ccamBapkRR8vTjpiKj7JuJKdCecTQ7/
f2KWoIRuYdEWU4njEsu/KHQWmxR0lelqOzM15EHVanOJCsPKCEMQg4lY5cQm8W1Q
YCGQyqg0ITQ6nbPuQchFHHnldqYZsfiWjly8SC454B61ItHi9Lcxvfh4cVonSCqw
KeoF4wIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUuyKm7Y9uaeepOAXR6V2B
t8Y4XYowHwYDVR0jBBgwFoAUuyKm7Y9uaeepOAXR6V2Bt8Y4XYowDQYJKoZIhvcN
AQEFBQADgYEAg5xdwSmeF2afO1UJZys5Mmvn7YfUdOIRgVaYN5sQLt1ixCXjDEew
56br5RKs2W6PaqeXl7CN5bYqxDDo3ekds9uquzE91HaKH04gQUc+/NA82y5NiaGZ
EOiLoTvc/+PShAjl8ZVwf+eNloay2FChb6S47rX0f28tKXpteWax00k=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com
issuer=/C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com
---
Acceptable client certificate CA names
/C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com
/C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.com
---
SSL handshake has read 2160 bytes and written 2117 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 7475F12DDB7A8CAE5047244136B5CDBD877D9C71E72B7DE379FEEC681ECA635C
Session-ID-ctx:
Master-Key: 5253A27AAB6096A906DD64C1565110582414DE0B24543D7275D267235BDF06F75EA1E745323E6E34420D90613AD74BF7
Key-Arg : None
Krb5 Principal: None
Start Time: 1271093212
Timeout : 300 (sec)
Verify return code: 0 (ok)
That all appears to be OK… which is confusing to me as to why it won’t work?
From: Chris Jacobs [mailto:Chris.Jacobs@apollogrp.edu]
Sent: Monday, April 12, 2010 12:30 PM
To: 'lynn.york@mavenwire.com'
Subject: Re: Problem with SSL/TLS
Did you setup the CA's cert as a trusted CA on your clients?
There is also a setting to skip verifying the cert for /etc/openldap/ldap.conf - but I can't recall atm.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs@apollogrp.edu
From: openldap-technical-bounces+chris.jacobs=apollogrp.edu@OpenLDAP.org
To: openldap-technical@openldap.org
Sent: Mon Apr 12 08:13:39 2010
Subject: Problem with SSL/TLS
I have created a cert. on the server and openldap starts without any issues, however when I attempt to connect via ldaps I keep getting the following error:
??
??
ldapsearch -x -H ldaps://localhost:636 -D "cn=Manager,dc=testing,dc=com" -W -b "dc=testing,dc=com" "(objectClass=top)"
Enter LDAP Password:
ldap_bind: Can't contact LDAP server (-1)
?????????????? additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
??
I can???t quite pin point what the problem might be.??
??
Lynn York II
MavenWire Hosting Admin
(866) 343-4870 x717
??
MavenWire - We DELIVER
??
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient.?? Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message.?? Please contact the sender by reply e-mail and delete all copies of this message.
??
MavenWire - We DELIVER
http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
MavenWire - We DELIVER http://www.mavenwire.com This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.