Hello,
i try to configure openldap with TLS/SASL. But i only get the same Error ( TLS certificate verification: Error, unable to get local issuer certificate) Perhaps someone have an idea what wrong with the certificate.
Version : $OpenLDAP: slapd 2.3.43 OS: SuseLinux Enterprise 10
Ldap Server Output:
----------------------------------------------------------- connection_read(12): checking for input on id=31 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(12): got connid=31 connection_read(12): checking for input on id=31 TLS certificate verification: depth: 0, err: 20, subject: /DC=liga01/ST=Deutschland/L=Munich/O=it/CN=schmidt.muc.liga01, issuer: /DC=liga01/ST=Deutschland/O=it/CN=schmidt.muc.liga01 TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_accept:error in SSLv3 read client certificate B TLS: can't accept. TLS: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned s3_srvr.c:2482 connection_read(12): TLS accept failure error=-1 id=31, closing connection_closing: readying conn=31 sd=12 for close connection_close: conn=31 sd=12 -----------------------------------------------------------
I create the certs like the following tutorial:
http://www.openldap.org/faq/index.cgi?_highlightWords=tls&file=185
/etc/openldap/slapd.conf: -----------------------------------------------------------
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3 TLSCertificateFile /etc/ssl/zertifikate/servercrt.pem TLSCertificateKeyFile /etc/ssl/zertifikate/serverkey.pem TLSCACertificateFile /etc/ssl/zertifikate/demoCA/cacert.pem TLSVerifyClient demand -----------------------------------------------------------
/etc/openldap/ldap.conf: ----------------------------------------------------------- TLS_CACERT /etc/ssl/zertifikate/demoCA/cacert.pem TLS_REQCERT demand -----------------------------------------------------------
/etc/ldap.conf:
----------------------------------------------------------- ssl start_tls -----------------------------------------------------------
greets
Steffem