Hi Kurt,
On Wed, Jun 17, 2009 at 7:26 PM, Kurt Yoderktyopenldap@yoderhome.com wrote:
Some background: I have set up my own CA and generated a certificate for it, which the LDAP server is using. Without specifying this CA, I get "self-signed certificate" errors when connecting:
root@host:# openssl s_client -connect my.ldap.server:636 -showcerts CONNECTED(00000003) <... trimmed certificate information ...> verify error:num=19:self signed certificate in certificate chain
[...]
My openldap is version 2.4.15 on Ubuntu Jaunty. Interestingly, I had the same message about self-signed certificates on previous Ubuntu versions, but querying ldap with "TLS_REQCERT demand" works fine.
As Howard mentioned this should have been fixed in 2.4.16. However could you try to put both the CA certificate *and* the server certificate in the cert.file used by the slapd server - (that way the whole CA chain is sent to the client by gnutls) ?
-- Mathias Gug Ubuntu Developer http://www.ubuntu.com