I did run some openssl commands and here is what I saw.

# openssl s_client -connect <ldap server ip>:636

verify error:num=20:unable to get local issuer certificate
verify return:1

verify error:num=21:unable to verify the first certificate
verify return:1

No client certificate CA names sent
SSL handshake has read 1162 bytes and written 450 bytes
Verify return code: 21 (unable to verify the first certificate)

The same thing I got when I ran the command on local ldap server too.

Are the certificates not OK? If this is so, how am I able to run ldapsearch with "-ZZ" option.


On Tue, Sep 22, 2009 at 10:15 AM, Asimananda Mohanty <asimananda.mohanty@gmail.com> wrote:

Regarding the apache issue, as I expected, fingers raised towards the certificate file even if I have clarified that the same certificate works fine with the local client (installed along with the server).

Is there any way so as to prove that certificate file is Ok?


On Mon, Sep 21, 2009 at 3:53 PM, Asimananda Mohanty <asimananda.mohanty@gmail.com> wrote:
I think I am supposed to provide the bind DN with "-D" option i.e. cn=admin,dc=ldap-company,dc=com.

With this value, it works fine.

Sorry for the mistake.

Reg Apache issue, I will post it here once it is solved.


On Mon, Sep 21, 2009 at 3:42 PM, Asimananda Mohanty <asimananda.mohanty@gmail.com> wrote:
Hi Dieter,

I will try to look it from a different angle. Once I am able to solve it, I will post it here.

I have one more query.

On my server, I am able to get the result by :

# ldapsearch -d8 -H ldaps://ldap-company.com -b dc=ldap-company,dc=com uid=asimananda
SASL/DIGEST-MD5 authentication started
Please enter your password:


But the following query doesn't show any result and throws error.

# ldapsearch -d8 -H ldaps://ldap-company.com -D dc=ldap-company,dc=com uid=asimananda -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

Does this mean that I have still some configuration to do?

Please comment.


On Mon, Sep 21, 2009 at 10:54 AM, Dieter Kluenter <dieter@dkluenter.de> wrote:
Asimananda Mohanty <asimananda.mohanty@gmail.com> writes:

> Hi Dieter,
> Thanks for the reply.
> My Apache is built with openldap lib only.
> I am able to connect to ubuntu host my my solaris client on ports 389 and 636.
> Then I guess, apache is not able to verify the certificates presented. In that case, please let me know how do I debug
> slapd to watch apache connection.

As I mentioned many times, this topip is neither OpenLDAP nor Ubuntu
related, it is just a question of how to properly set up Apache on Sun
Solaris 10.
Did you configure mod_auth_ldap and mod_ldap to use TLS?
There are two sources of information, Sun Bigadmin and Apache
documentation. Lot of documentation is referring to *.der or cert7.db
files, note that OpenLDAP only handles *.pem files. For mor
information on this topic read openssl documentation.



Dieter Klünter | Systemberatung