On 01/29/2013 01:22 AM, Chris wrote:

Hi

I am running Openldap 2.4.23 on RHEL6. I can telnet to the server on both 389 636 ports.
I can do a ldapsearch and ldapadd without any errors. I get this error when I start the slapd daemon.

ldap_start_tls_s() failed: Can't contact LDAP server: Transport endpoint is not connected (uri="ldap://ldapserver")
failed to bind to LDAP server ldap://ldapserver: Can't contact LDAP server: Transport endpoint is not connected

When I do a ldapsearch -x -d1 -Z -b 'dc=flamengro,dc=co,dc=za'

I get the following error

TLS: certificate [CA certificate details omitted here...] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 0 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
ldap_err2string
ldap_start_tls: Connect error (-11)
additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user

"Peer's certificate issuer has been marked as not trusted by the user" - this means the issuer (the CA) that issued the certificate of the server (the peer) is not trusted by the user (the ldapsearch client). This usually means you have not told ldapsearch (via ldap.conf or .ldaprc) about the CA cert of the the CA that issued the server cert.

Any help will be appreciated.

This is my slapd.conf file

include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
TLSCipherSuite          HIGH
TLSCertificateFile      /etc/pki/tls/certs/slapdcert.pem
TLSCertificateKeyFile   /etc/pki/tls/certs/slapdkey.pem
TLSVerifyClient         never
database        bdb
suffix          "dc=flamengro,dc=co,dc=za"
checkpoint      1024 15
rootdn          "cn=Manager,dc=flamengro,dc=co,dc=za"
rootpw                secret
directory       /var/lib/ldap/flamengro
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
database monitor
# allow only rootdn to read the monitor
access to *
        by dn.exact="cn=Manager,dc=flamengro,dc=co,dc=za" read
        by * none
access to attrs=userPassword,shadowLastChange
        by anonymous auth
        by self write
        by * none

I