I tryed to test with ldapsearch, but it ignores ldap.conf somehow (where CA certificate defined) and I always recieve additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain) Tryed with ldapsearch -Z -d 1 -h ldap.domain.com
2010/9/16 Dieter Kluenter dieter@dkluenter.de:
c0re nr1c0re@gmail.com writes:
# making clientkey openssl genrsa -out client.key 2048 # making certificate request openssl req -new -key client.key -out client.csr # signing openssl x509 -req -days 1024 -CA ../ssl/rootcrt.pem -CAkey ../ssl/rootkey.pem -in client.csr -out client.crt -CAserial ../ssl/root.seq
# configuring on client TLS_CACERT /usr/local/etc/openldap/ssl-client/rootcrt.pem TLS_CERT /usr/local/etc/openldap/ssl-client/client.crt and TLS_KEY /usr/local/etc/openldap/ssl-client/client.key
Trying again with slapd debug and client calling "id test"
[...] As there are no obvious errors in the log you should get TLS properly working, prior to testing with pam. Just do a ldapsearch or a ldapwhoami either on uri ldaps:// or startTLS on ldap://
-Dieter
-- Dieter Klünter | Systemberatung sip: 7770535@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6