On 01/29/2013 01:22 AM, Chris wrote:
Hi
I am running Openldap 2.4.23 on RHEL6. I can telnet to the server on both 389 636 ports. I can do a ldapsearch and ldapadd without any errors. I get this error when I start the slapd daemon.
/ldap_start_tls_s() failed: Can't contact LDAP server: Transport endpoint is not connected (uri="ldap://ldapserver")// //failed to bind to LDAP server ldap://ldapserver: Can't contact LDAP server: Transport endpoint is not connected/
When I do a ldapsearch -x -d1 -Z -b 'dc=flamengro,dc=co,dc=za'
I get the following error
/TLS: certificate [//CA certificate details omitted here...] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..// //TLS: error: connect - force handshake failure: errno 0 - moznss error -8172// //TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..// //ldap_err2string// //ldap_start_tls: Connect error (-11)// // additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user/
"Peer's certificate issuer has been marked as not trusted by the user" - this means the issuer (the CA) that issued the certificate of the server (the peer) is not trusted by the user (the ldapsearch client). This usually means you have not told ldapsearch (via ldap.conf or .ldaprc) about the CA cert of the the CA that issued the server cert.
Any help will be appreciated.
This is my slapd.conf file
include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCipherSuite HIGH TLSCertificateFile /etc/pki/tls/certs/slapdcert.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapdkey.pem TLSVerifyClient never database bdb suffix "dc=flamengro,dc=co,dc=za" checkpoint 1024 15 rootdn "cn=Manager,dc=flamengro,dc=co,dc=za" rootpw secret directory /var/lib/ldap/flamengro index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub database monitor # allow only rootdn to read the monitor access to * by dn.exact="cn=Manager,dc=flamengro,dc=co,dc=za" read by * none access to attrs=userPassword,shadowLastChange by anonymous auth by self write by * none
I