Hi,
Did you provide FQDN e.g server1.example.com to the common name section ? while creating the certificate ?
Hope the permission of the files are are also correct.
Regards, Neo
On Fri, Sep 16, 2011 at 9:57 AM, vijay s sheelavantar < s_vijay65@rediffmail.com> wrote:
Hi, I am trying to configure LDAP Client/server on 2 Fedora-10 linux machines.
I have installed and configured openldap-2.4.26 server on one machine and pam_ldap-186, nss_ldap-265 on the other machines.
I have created the TLS certificates using following command on the server.
openssl req -newkey rsa:1024 -x509 -nodes -out \ server.pem -keyout server.pem -days 3650
and I have created the client.pem by copying CERTIFICATE portion of the server.pem.
When my client try to connect to the server I get following errors.
*TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca. connection_read(12): TLS accept failure error=-1 id=1012, closing connection_closing: readying conn=1012 sd=12 for close connection_close: conn=1012 sd=12 daemon: removing 12 conn=1012 fd=12 closed (TLS negotiation failure)
My Configurations are as follows.
slapd.conf
access to attrs=userPassword by self write by anonymous auth by * none
access to * by * read
#TLS Certificate section TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA TLSCACertificateFile /etc/openldap/cacerts/server.pem TLSCertificateFile /etc/openldap/cacerts/server.pem TLSCertificateKeyFile /etc/openldap/cacerts/server.pem TLSVerifyClient allow
and client side ldap.conf
base dc=samsung,dc=com uri ldaps://10.254.204.181/ TLS_CACERT /etc/openldap/cacerts/client.pem pam_password md5
nsswitch.conf
passwd: files ldap shadow: files ldap group: files ldap
netgroup: files ldap automount: files ldap
I am not getting why it is saying Unknown ca. even though the certificate is created on server machine itself.
Kindly help me to solve this problem.
http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle? Treat yourself at a restaurant, spa, resort and much more with *Rediff Deal ho jaye!http://track.rediff.com/click?url=___http://dealhojaye.rediff.com?sc_cid=mailsignature___&cmp=signature&lnk=rediffmailsignature&newservice=deals