On 02/24/2012 11:57 AM, Aaron Bennett wrote:
From: Rich Megginson [mailto:rich.megginson@gmail.com]
See http://www.openldap.org/faq/data/cache/1514.html Using Builtin Root Certs:
Hi Rich,
Thanks for responding.
I read that. So, I did ln -s /usr/lib64/libnssckbi.so to my nss key directory... doesn't seem to have any effect. If I do certutil -d /etc/openldap/nssdb/ -L -h all then it shows all of those certs as expected, including:
Builtin Object Token:GeoTrust Global CA C,C,C
Builtin Object Token:GeoTrust Global CA 2 C,C,C
Builtin Object Token:GeoTrust Universal CA C,C,C
Builtin Object Token:GeoTrust Universal CA 2 C,C,C
Builtin Object Token:GeoTrust Primary Certification Authority C,,
Builtin Object Token:GeoTrust Primary Certification Authority - G3 C,C,C
Builtin Object Token:GeoTrust Primary Certification Authority - G2 C,C,C
For Geotrust. It still shows the geotrust-intermediate cert that I imported:
geotrust-intermediate ,,
as well. But with or without an explicit "olcTLSCACertificateFile: geotrust-intermediate", ldapwhomi -d1 produces:
ldap_url_parse_ext(ldaps://ds.clarku.edu)
ldap_create
ldap_url_parse_ext(ldaps://ds.clarku.edu:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ds.clarku.edu:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 140.232.1.12:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Is the ldapwhoami client on the same machine as the server? What is the client TLS configuration?
What am I missing?