Here is my /etc/openldap/ldap.conf:
uri ldaps://localhost base cn=users,dc=testing,dc=com tls_cacert /etc/openldap/cacerts/ca.key tls_cacertdir /etc/openldap/cacerts tls_reqcert allow
After adding the TLS options in there, I get the following:
ldapsearch -d1 -x -H ldaps://localhost:636/ ldap_create ldap_url_parse_ext(ldaps://localhost:636/) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS: could not load verify locations (file:`/etc/openldap/cacerts/ca.key',dir:`/etc/openldap/cacerts'). ldap_perror ldap_bind: Can't contact LDAP server (-1)
However, the certs and key's to exist..
ls -al /etc/openldap/cacerts/ total 44 drwxr-xr-x 3 ldap ldap 4096 Apr 12 13:48 . drwxr-xr-x 4 ldap ldap 4096 Apr 12 18:09 .. drwxr-xr-x 2 ldap ldap 4096 Apr 12 13:45 backup -rw-r--r-- 1 ldap ldap 1805 Apr 12 13:46 ca.cert -rw-r--r-- 1 ldap ldap 1679 Apr 12 13:46 ca.key -rw-r--r-- 1 ldap ldap 17 Apr 12 13:48 ca.srl -rw-r--r-- 1 ldap ldap 1411 Apr 12 13:48 hltraindb01.crt -rw-r--r-- 1 ldap ldap 1106 Apr 12 13:46 hltraindb01.csr -rw-r--r-- 1 ldap ldap 1679 Apr 12 13:45 hltraindb01.key
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Monday, April 12, 2010 6:00 PM To: Lynn York Cc: openldap-technical@openldap.org Subject: RE: Problem with SSL/TLS
--On Monday, April 12, 2010 2:20 PM -0400 Lynn York lynn.york@mavenwire.com wrote:
TLS certificate verification: depth: 0, err: 18, subject: /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire,
LLC/OU=Support/CN=testing.com/emailAddress=mw-hosting-sysadmin@testing.co
m, issuer: /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire,
LLC/OU=Support/CN=testing.com/emailAddress=mw-hosting-sysadmin@testing.com
TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B
The above error seems very clear to me. The CA for the offered cert is unknown. Either your CA path for OpenLDAP is wrong in your OpenLDAP ldap.conf file (which is set via the TLS_CACERT or TLS_CACERTDIR variables), or you've pointed at the wrong one, etc.
As has been noted numerous times to you so far /etc/ldap.conf is not the place you set these variables. You fail to show your /etc/ldap/ldap.conf (assuming that's the location of it) settings.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.