Matthew, please stay on the mailing list (Cc:-ed) when answering so others can answer and learn as well.
Matthew Edlefsen wrote:
2009/6/13 Michael Ströder michael@stroeder.com:
Matthew Edlefsen wrote:
Hello, I'm trying to get TLS setup with openldap and am having some issues. I have a CA signed certificate (not self-signed) and have created a chain with my CA cert and the root CA cert. I've verified that it works with openssl verify -CAfile on both the client and server but then when I try to connect using ldaps I get the following error on the client:
TLS certificate verification: depth: 2, err: 19, subject: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect.
I assume it's saying that the root CA is self signed, but if I don't include it in the chain it says it can't trust the CA.
Could you please elaborate on how you configured TLS settings on your LDAP client? I assume that your OpenLDAP build was linked to OpenSSL libs. Is that right?
I did not configure my client at all. I confirmed it is linked to OpenSSL though. I'm hoping to not have to do any client configuration (other than turning it on obviously) because we would like end users to be able to use ldaps without any hassle.
You have to configure each LDAP client to trust the CA cert.
For OpenLDAP command-line clients or derived clients you should consult the man page ldap.conf(5) about how to place system-wide or specific configuration files and the client-side (TLS-related) configuration options.
Ciao, Michael.