Hi, I did run some openssl commands and here is what I saw.
# openssl s_client -connect <ldap server ip>:636
verify error:num=20:unable to get local issuer certificate verify return:1
verify error:num=21:unable to verify the first certificate verify return:1
No client certificate CA names sent --- SSL handshake has read 1162 bytes and written 450 bytes --- Verify return code: 21 (unable to verify the first certificate)
The same thing I got when I ran the command on local ldap server too.
Are the certificates not OK? If this is so, how am I able to run ldapsearch with "-ZZ" option.
Regards Asimananda
On Tue, Sep 22, 2009 at 10:15 AM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:
Hi, Regarding the apache issue, as I expected, fingers raised towards the certificate file even if I have clarified that the same certificate works fine with the local client (installed along with the server).
Is there any way so as to prove that certificate file is Ok?
Regards Asimananda
On Mon, Sep 21, 2009 at 3:53 PM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:
I think I am supposed to provide the bind DN with "-D" option i.e. cn=admin,dc=ldap-company,dc=com. With this value, it works fine.
Sorry for the mistake.
Reg Apache issue, I will post it here once it is solved.
Regards Asimananda
On Mon, Sep 21, 2009 at 3:42 PM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:
Hi Dieter, I will try to look it from a different angle. Once I am able to solve it, I will post it here.
I have one more query.
On my server, I am able to get the result by :
# ldapsearch -d8 -H ldaps://ldap-company.com -b dc=ldap-company,dc=com uid=asimananda SASL/DIGEST-MD5 authentication started Please enter your password:
<Result>
But the following query doesn't show any result and throws error.
# ldapsearch -d8 -H ldaps://ldap-company.com -D dc=ldap-company,dc=com uid=asimananda -W Enter LDAP Password: ldap_bind: Invalid credentials (49) #
Does this mean that I have still some configuration to do?
Please comment.
Regards Asimananda
On Mon, Sep 21, 2009 at 10:54 AM, Dieter Kluenter dieter@dkluenter.dewrote:
Asimananda Mohanty asimananda.mohanty@gmail.com writes:
Hi Dieter,
Thanks for the reply.
My Apache is built with openldap lib only.
I am able to connect to ubuntu host my my solaris client on ports 389
and 636.
Then I guess, apache is not able to verify the certificates presented.
In that case, please let me know how do I debug
slapd to watch apache connection.
As I mentioned many times, this topip is neither OpenLDAP nor Ubuntu related, it is just a question of how to properly set up Apache on Sun Solaris 10. Did you configure mod_auth_ldap and mod_ldap to use TLS? There are two sources of information, Sun Bigadmin and Apache documentation. Lot of documentation is referring to *.der or cert7.db files, note that OpenLDAP only handles *.pem files. For mor information on this topic read openssl documentation.
http://httpd.apache.org/docs/2.0/mod/mod_ldap.html http://www.sun.com/bigadmin/home/index.jsp
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E