Wow.. I feel like a complete idiot... I got it working by changing to the cert instead of the key. Thanks very much to all who helped.
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Monday, April 12, 2010 6:26 PM To: Lynn York Cc: openldap-technical@openldap.org Subject: RE: Problem with SSL/TLS
--On Monday, April 12, 2010 6:13 PM -0400 Lynn York lynn.york@mavenwire.com wrote:
Here is my /etc/openldap/ldap.conf:
uri ldaps://localhost base cn=users,dc=testing,dc=com tls_cacert /etc/openldap/cacerts/ca.key tls_cacertdir /etc/openldap/cacerts tls_reqcert allow
You specify *one* of the two options (Either TLS_CACERT or TLS_CACERTDIR).
Not both. If you are specifying the file, then it needs to be the cert, not the key.
TLS: could not load verify locations (file:`/etc/openldap/cacerts/ca.key',dir:`/etc/openldap/cacerts').
However, the certs and key's to exist..
ls -al /etc/openldap/cacerts/ total 44 drwxr-xr-x 3 ldap ldap 4096 Apr 12 13:48 . drwxr-xr-x 4 ldap ldap 4096 Apr 12 18:09 .. drwxr-xr-x 2 ldap ldap 4096 Apr 12 13:45 backup -rw-r--r-- 1 ldap ldap 1805 Apr 12 13:46 ca.cert -rw-r--r-- 1 ldap ldap 1679 Apr 12 13:46 ca.key
What about the permissions on /etc/openldap and /etc/openldap/cacerts?
I.e., if you su - ldap, can you actually read /etc/openldap/cacerts/ca.cert?
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.