(I mistakenly posted this at openldap-its earlier. apologies if anyone saw it there)
Hello,
We have a LDAP server running with TLS enabled and verified we can connect to it from openssl s_client. This works:
$ openssl s_client -connect ldap.foo.com:636 -cert client_tls_cert.pem -key client_tls_key.pem -state -nbio -CAfile ca_chain.pem -showcerts
But ldapsearch throws an error:
$ ldapsearch -d 1 -x -H ldaps://ldap.foo.com:636 ... -ZZ
TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841) TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
We followed the instructions given at https://www.openldap.org/doc/admin24/tls.html#Client%20Configuration. We edited /etc/openldap/ldap.conf like so:
TLS_REQCERT demand TLS_CACERT ca_chain.pem TLS_CACERTDIR /path/to/ca/cert TLS_CERT client_tls_cert.pem TLS_KEY client_tls_key.pem
The ca_chain.pem file is placed under /path/to/ca/cert. We are running ldapsearch on a Mac. Can anyone help us?
Sid
PS: we do see following on server:
TLS trace: SSL_accept:before SSL initialization TLS trace: SSL_accept:before SSL initialization TLS trace: SSL_accept:SSLv3/TLS read client hello TLS trace: SSL_accept:SSLv3/TLS write server hello TLS trace: SSL_accept:SSLv3/TLS write certificate TLS trace: SSL_accept:SSLv3/TLS write key exchange TLS trace: SSL_accept:SSLv3/TLS write certificate request TLS trace: SSL_accept:SSLv3/TLS write server done