On 02/24/2012 11:57 AM, Aaron Bennett wrote:

 

From: Rich Megginson [mailto:rich.megginson@gmail.com]

See http://www.openldap.org/faq/data/cache/1514.html
Using Builtin Root Certs:

-

Hi Rich,

 

Thanks for responding. 

 

I read that.   So, I did ln -s /usr/lib64/libnssckbi.so to my nss key directory… doesn’t seem to have any effect.  If I do certutil -d /etc/openldap/nssdb/ -L -h all then it shows all of those certs as expected, including:

Builtin Object Token:GeoTrust Global CA                      C,C,C

Builtin Object Token:GeoTrust Global CA 2                    C,C,C

Builtin Object Token:GeoTrust Universal CA                   C,C,C

Builtin Object Token:GeoTrust Universal CA 2                 C,C,C

Builtin Object Token:GeoTrust Primary Certification Authority C,, 

Builtin Object Token:GeoTrust Primary Certification Authority - G3 C,C,C

Builtin Object Token:GeoTrust Primary Certification Authority - G2 C,C,C

 

For Geotrust.  It still shows the geotrust-intermediate cert that I imported:

geotrust-intermediate                                        ,,  

 

as well.  But with or without an explicit “olcTLSCACertificateFile: geotrust-intermediate”, ldapwhomi -d1 produces:

ldap_url_parse_ext(ldaps://ds.clarku.edu)

ldap_create

ldap_url_parse_ext(ldaps://ds.clarku.edu:636/??base)

ldap_sasl_bind

ldap_send_initial_request

ldap_new_connection 1 1 0

ldap_int_open_connection

ldap_connect_to_host: TCP ds.clarku.edu:636

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying 140.232.1.12:636

ldap_pvt_connect: fd: 3 tm: -1 async: 0

TLS: peer cert untrusted or revoked (0x42)

TLS: can't connect: (unknown error code).

ldap_err2string

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Is the ldapwhoami client on the same machine as the server?   What is the client TLS configuration?

 

What am I missing?