/etc/ldap.conf is used by nss tools and the ilk.
/etc/openldap/ldap.conf would be used by openldap tools - like ldapsearch.
I have the same setting there for tls_checkpeer - but in the latter ldap.conf (under openldap).
FWIW: there's apparently no real different format for the two files; while one would only be setup on ldap servers, mine are identical and things work with a mirror master, both setup behind a VIP (fail over, not load balanced) and a plethora of slaves in different subdomains.
- chris
PS: I'd forgotten to 'reply-to-all' earlier. :)
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs@apollogrp.edu
________________________________ From: Lynn York To: Chris Jacobs Sent: Mon Apr 12 10:29:19 2010 Subject: RE: Problem with SSL/TLS Here is my /etc/ldap.conf:
#host 127.0.0.1 base cn=users,dc=testing,dc=com uri ldap://localhost:636 binddn cn=manager,dc=testing,dc=com bindpw password scope sub timelimit 120 bind_policy soft bind_timelimit 120 idle_timelimit 3600 ssl on tls_cacert /etc/openldap/cacerts/servercrt.pem tls_cacertdir /etc/openldap/cacerts tls_checkpeer no nss_base_group cn=groups,dc=testing,dc=com?sub pam_password md5
I have tried it with and without “tls_checkpeer”…. I am sort of at a loss as to what it can be. I also tested it using openssl client.. and here is the output:
CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.comhttp://testing.com/emailAddress=testing@testing.com verify return:1 depth=0 /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.comhttp://testing.com/emailAddress=testing@testing.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.comhttp://testing.com/emailAddress=testing@testing.com i:/C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.comhttp://testing.com/emailAddress=testing@testing.com -----BEGIN CERTIFICATE----- MIIDPzCCAqigAwIBAgIBATANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx FTATBgNVBAgTDFBlbm5zeWx2YW5pYTEXMBUGA1UEChMOTWF2ZW5XaXJlLCBMTEMx EDAOBgNVBAsTB1N1cHBvcnQxFjAUBgNVBAMTDW1hdmVud2lyZS5jb20xMDAuBgkq hkiG9w0BCQEWIW13LWhvc3Rpbmctc3lzYWRtaW5AbWF2ZW53aXJlLmNvbTAeFw0x MDA0MDkyMDUwNDlaFw0xMTA0MDkyMDUwNDlaMIGzMQswCQYDVQQGEwJVUzEVMBMG A1UECBMMUGVubnN5bHZhbmlhMRgwFgYDVQQHEw9LaW5nIG9mIFBydXNzaWExFzAV BgNVBAoTDk1hdmVuV2lyZSwgTExDMRAwDgYDVQQLEwdTdXBwb3J0MRYwFAYDVQQD Ew1tYXZlbndpcmUuY29tMTAwLgYJKoZIhvcNAQkBFiFtdy1ob3N0aW5nLXN5c2Fk bWluQG1hdmVud2lyZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMGp U5HS8A2DRokU5TQz1Dyycx/VA2uhrRwatTPq8xtoQigWM2feiXUwtoiQ/gP3IjB5 AJLf8aC8y72Io2IME4aqh1s7bdscV2b0QMs1MfXiL9h2XQWZVCkgDLjjb1XzHhlw 3I6vkrh/uGH2PQyXbuG/6dIguzCHfnGgGXgy1o45AgMBAAGjezB5MAkGA1UdEwQC MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl MB0GA1UdDgQWBBR0mZkOwZZjYFiWlloEvgSpoPxOuzAfBgNVHSMEGDAWgBS7Iqbt j25p56k4BdHpXYG3xjhdijANBgkqhkiG9w0BAQUFAAOBgQARO7OcDgNOZ3WuP9IM mUeQWuGVBAh7MQ3Uv2HrSOAfTHxg/QxjCZZlwULq1EZZDHNgyPMM+5ElWSID5El/ fdxHcizNOjPPuVPwtJIrs8RhTIehn0aKryqtkvpcAnxFuc+VxwcCBhV58wtbSuXL PXRTvoTDXWkiXwdR4m1bubOF5A== -----END CERTIFICATE----- 1 s:/C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.comhttp://testing.com/emailAddress=testing@testing.com i:/C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.comhttp://testing.com/emailAddress=testing@testing.com -----BEGIN CERTIFICATE----- MIIDJTCCAo6gAwIBAgIBADANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx FTATBgNVBAgTDFBlbm5zeWx2YW5pYTEXMBUGA1UEChMOTWF2ZW5XaXJlLCBMTEMx EDAOBgNVBAsTB1N1cHBvcnQxFjAUBgNVBAMTDW1hdmVud2lyZS5jb20xMDAuBgkq hkiG9w0BCQEWIW13LWhvc3Rpbmctc3lzYWRtaW5AbWF2ZW53aXJlLmNvbTAeFw0x MDA0MDkyMDUwMDBaFw0xMzA0MDgyMDUwMDBaMIGZMQswCQYDVQQGEwJVUzEVMBMG A1UECBMMUGVubnN5bHZhbmlhMRcwFQYDVQQKEw5NYXZlbldpcmUsIExMQzEQMA4G A1UECxMHU3VwcG9ydDEWMBQGA1UEAxMNbWF2ZW53aXJlLmNvbTEwMC4GCSqGSIb3 DQEJARYhbXctaG9zdGluZy1zeXNhZG1pbkBtYXZlbndpcmUuY29tMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQC6yVPz1ccamBapkRR8vTjpiKj7JuJKdCecTQ7/ f2KWoIRuYdEWU4njEsu/KHQWmxR0lelqOzM15EHVanOJCsPKCEMQg4lY5cQm8W1Q YCGQyqg0ITQ6nbPuQchFHHnldqYZsfiWjly8SC454B61ItHi9Lcxvfh4cVonSCqw KeoF4wIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUuyKm7Y9uaeepOAXR6V2B t8Y4XYowHwYDVR0jBBgwFoAUuyKm7Y9uaeepOAXR6V2Bt8Y4XYowDQYJKoZIhvcN AQEFBQADgYEAg5xdwSmeF2afO1UJZys5Mmvn7YfUdOIRgVaYN5sQLt1ixCXjDEew 56br5RKs2W6PaqeXl7CN5bYqxDDo3ekds9uquzE91HaKH04gQUc+/NA82y5NiaGZ EOiLoTvc/+PShAjl8ZVwf+eNloay2FChb6S47rX0f28tKXpteWax00k= -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.comhttp://testing.com/emailAddress=testing@testing.com issuer=/C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.comhttp://testing.com/emailAddress=testing@testing.com --- Acceptable client certificate CA names /C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.comhttp://testing.com/emailAddress=testing@testing.com /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=testing@testing.comhttp://testing.com/emailAddress=testing@testing.com --- SSL handshake has read 2160 bytes and written 2117 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 7475F12DDB7A8CAE5047244136B5CDBD877D9C71E72B7DE379FEEC681ECA635C Session-ID-ctx: Master-Key: 5253A27AAB6096A906DD64C1565110582414DE0B24543D7275D267235BDF06F75EA1E745323E6E34420D90613AD74BF7 Key-Arg : None Krb5 Principal: None Start Time: 1271093212 Timeout : 300 (sec) Verify return code: 0 (ok)
That all appears to be OK… which is confusing to me as to why it won’t work?
From: Chris Jacobs [mailto:Chris.Jacobs@apollogrp.edumailto:Chris.Jacobs@apollogrp.edu] Sent: Monday, April 12, 2010 12:30 PM To: 'lynn.york@mavenwire.commailto:lynn.york@mavenwire.com' Subject: Re: Problem with SSL/TLS
Did you setup the CA's cert as a trusted CA on your clients?
There is also a setting to skip verifying the cert for /etc/openldap/ldap.conf - but I can't recall atm.
- chris
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs@apollogrp.edumailto:chris.jacobs@apollogrp.edu
________________________________ From: openldap-technical-bounces+chris.jacobs=apollogrp.eduhttp://apollogrp.edu@OpenLDAP.org To: openldap-technical@openldap.orgmailto:openldap-technical@openldap.org Sent: Mon Apr 12 08:13:39 2010 Subject: Problem with SSL/TLS I have created a cert. on the server and openldap starts without any issues, however when I attempt to connect via ldaps I keep getting the following error: ?? ?? ldapsearch -x -H ldaps://localhost:636 -D "cn=Manager,dc=testing,dc=com" -W -b "dc=testing,dc=com" "(objectClass=top)" Enter LDAP Password: ldap_bind: Can't contact LDAP server (-1) ?????????????? additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ?? I can???t quite pin point what the problem might be.?? ?? Lynn York II MavenWire Hosting Admin www.mavenwire.comhttp://www.mavenwire.com (866) 343-4870 x717 ?? MavenWire - We DELIVER http://www.mavenwire.com ?? This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient.?? Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message.?? Please contact the sender by reply e-mail and delete all copies of this message. ??
MavenWire - We DELIVER
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Chris Jacobs wrote:
/etc/ldap.conf is used by nss tools and the ilk.
/etc/openldap/ldap.conf would be used by openldap tools - like ldapsearch.
Actually it's used by libldap, which means everything that uses libldap (including nss_ldap). But of course the converse is not true, /etc/ldap.conf only affects nss_ldap and pam_ldap, not anything else.
I have the same setting there for tls_checkpeer - but in the latter ldap.conf (under openldap).
tls_checkpeer is not a valid OpenLDAP ldap.conf keyword.
FWIW: there's apparently no real different format for the two files; while one would only be setup on ldap servers, mine are identical and things work with a
If they are identical and things work, it's by sheer luck. Read the ldap.conf(5) manpage. Relying on anything not documented there would be a mistake.
To the original poster: use the ldapsearch debug flag. OpenSSL s_client is not a reliable indicator of anything.
mirror master, both setup behind a VIP (fail over, not load balanced) and a plethora of slaves in different subdomains.
- chris
PS: I'd forgotten to 'reply-to-all' earlier. :)
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs@apollogrp.edu
*From*: Lynn York *To*: Chris Jacobs *Sent*: Mon Apr 12 10:29:19 2010 *Subject*: RE: Problem with SSL/TLS
Here is my /etc/ldap.conf:
#host 127.0.0.1
base cn=users,dc=testing,dc=com
uri ldap://localhost:636
binddn cn=manager,dc=testing,dc=com
bindpw password
scope sub
timelimit 120
bind_policy soft
bind_timelimit 120
idle_timelimit 3600
ssl on
tls_cacert /etc/openldap/cacerts/servercrt.pem
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer no
nss_base_group cn=groups,dc=testing,dc=com?sub
pam_password md5
I have tried it with and without “tls_checkpeer”…. I am sort of at a loss as to what it can be. I also tested it using openssl client.. and here is the output:
*From*: openldap-technical-bounces+chris.jacobs=apollogrp.edu http://apollogrp.edu@OpenLDAP.org *To*: openldap-technical@openldap.org mailto:openldap-technical@openldap.org *Sent*: Mon Apr 12 08:13:39 2010 *Subject*: Problem with SSL/TLS
I have created a cert. on the server and openldap starts without any issues, however when I attempt to connect via ldaps I keep getting the following error:
??
??
ldapsearch -x -H ldaps://localhost:636 -D "cn=Manager,dc=testing,dc=com" -W -b "dc=testing,dc=com" "(objectClass=top)"
Enter LDAP Password:
ldap_bind: Can't contact LDAP server (-1)
?????????????? additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
??
I can???t quite pin point what the problem might be.??
OK... So I think I made some progress on this issue....
Here is my /etc/ldap.conf file:
cat /etc/ldap.conf #host 127.0.0.1 base cn=users,dc=testing,dc=com uri ldaps://localhost binddn cn=manager,dc=testing,dc=com bindpw password scope sub timelimit 120 bind_policy soft bind_timelimit 120 idle_timelimit 3600 ssl on tls_cacert /etc/openldap/cacerts/ca.key tls_cacertdir /etc/openldap/cacerts tls_checkpeer no tls_reqcert allow nss_base_group cn=groups,dc=testing,dc=com?sub pam_password md5
When I use "tcpdump" to actually view the packets, everything appears to be encrypted and I get the results I am looking for when I issue the "getent passwd" command... However, when I change "tls_checkpeer" to "yes" or comment it out from the config, I do not get the expected results from 'getent passwd'.... also, here is the output from the ldapsearch debug..
ldapsearch -d1 -x -H ldaps://localhost:636/ ldap_create ldap_url_parse_ext(ldaps://localhost:636/) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 18, subject: /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=mw-hosting-sysadmin@testing.com, issuer: /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=mw-hosting-sysadmin@testing.com TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
When I issue a search using just ldap://localhost it works, but the data is not encrypted, how does it encrypt the data, if it can't verify the certificate?
-Lynn
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Monday, April 12, 2010 2:09 PM To: Chris Jacobs Cc: 'lynn.york@mavenwire.com'; 'openldap-technical@openldap.org' Subject: Re: Problem with SSL/TLS
Chris Jacobs wrote:
/etc/ldap.conf is used by nss tools and the ilk.
/etc/openldap/ldap.conf would be used by openldap tools - like ldapsearch.
Actually it's used by libldap, which means everything that uses libldap (including nss_ldap). But of course the converse is not true, /etc/ldap.conf only affects nss_ldap and pam_ldap, not anything else.
I have the same setting there for tls_checkpeer - but in the latter ldap.conf (under openldap).
tls_checkpeer is not a valid OpenLDAP ldap.conf keyword.
FWIW: there's apparently no real different format for the two files; while one would only be setup on ldap servers, mine are identical and things work with a
If they are identical and things work, it's by sheer luck. Read the ldap.conf(5) manpage. Relying on anything not documented there would be a mistake.
To the original poster: use the ldapsearch debug flag. OpenSSL s_client is not a reliable indicator of anything.
mirror master, both setup behind a VIP (fail over, not load balanced) and a plethora of slaves in different subdomains.
- chris
PS: I'd forgotten to 'reply-to-all' earlier. :)
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs@apollogrp.edu
*From*: Lynn York *To*: Chris Jacobs *Sent*: Mon Apr 12 10:29:19 2010 *Subject*: RE: Problem with SSL/TLS
Here is my /etc/ldap.conf:
#host 127.0.0.1
base cn=users,dc=testing,dc=com
uri ldap://localhost:636
binddn cn=manager,dc=testing,dc=com
bindpw password
scope sub
timelimit 120
bind_policy soft
bind_timelimit 120
idle_timelimit 3600
ssl on
tls_cacert /etc/openldap/cacerts/servercrt.pem
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer no
nss_base_group cn=groups,dc=testing,dc=com?sub
pam_password md5
I have tried it with and without “tls_checkpeer”…. I am sort of at a loss as to what it can be. I also tested it using openssl client.. and here is the output:
*From*: openldap-technical-bounces+chris.jacobs=apollogrp.edu http://apollogrp.edu@OpenLDAP.org *To*: openldap-technical@openldap.org mailto:openldap-technical@openldap.org *Sent*: Mon Apr 12 08:13:39 2010 *Subject*: Problem with SSL/TLS
I have created a cert. on the server and openldap starts without any issues, however when I attempt to connect via ldaps I keep getting the following error:
??
??
ldapsearch -x -H ldaps://localhost:636 -D "cn=Manager,dc=testing,dc=com" -W -b "dc=testing,dc=com" "(objectClass=top)"
Enter LDAP Password:
ldap_bind: Can't contact LDAP server (-1)
?????????????? additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
??
I can???t quite pin point what the problem might be.??
--On Monday, April 12, 2010 2:20 PM -0400 Lynn York lynn.york@mavenwire.com wrote:
TLS certificate verification: depth: 0, err: 18, subject: /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=mw-hosting-sysadmin@testing.co m, issuer: /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=mw-hosting-sysadmin@testing.com TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B
The above error seems very clear to me. The CA for the offered cert is unknown. Either your CA path for OpenLDAP is wrong in your OpenLDAP ldap.conf file (which is set via the TLS_CACERT or TLS_CACERTDIR variables), or you've pointed at the wrong one, etc.
As has been noted numerous times to you so far /etc/ldap.conf is not the place you set these variables. You fail to show your /etc/ldap/ldap.conf (assuming that's the location of it) settings.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Here is my /etc/openldap/ldap.conf:
uri ldaps://localhost base cn=users,dc=testing,dc=com tls_cacert /etc/openldap/cacerts/ca.key tls_cacertdir /etc/openldap/cacerts tls_reqcert allow
After adding the TLS options in there, I get the following:
ldapsearch -d1 -x -H ldaps://localhost:636/ ldap_create ldap_url_parse_ext(ldaps://localhost:636/) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS: could not load verify locations (file:`/etc/openldap/cacerts/ca.key',dir:`/etc/openldap/cacerts'). ldap_perror ldap_bind: Can't contact LDAP server (-1)
However, the certs and key's to exist..
ls -al /etc/openldap/cacerts/ total 44 drwxr-xr-x 3 ldap ldap 4096 Apr 12 13:48 . drwxr-xr-x 4 ldap ldap 4096 Apr 12 18:09 .. drwxr-xr-x 2 ldap ldap 4096 Apr 12 13:45 backup -rw-r--r-- 1 ldap ldap 1805 Apr 12 13:46 ca.cert -rw-r--r-- 1 ldap ldap 1679 Apr 12 13:46 ca.key -rw-r--r-- 1 ldap ldap 17 Apr 12 13:48 ca.srl -rw-r--r-- 1 ldap ldap 1411 Apr 12 13:48 hltraindb01.crt -rw-r--r-- 1 ldap ldap 1106 Apr 12 13:46 hltraindb01.csr -rw-r--r-- 1 ldap ldap 1679 Apr 12 13:45 hltraindb01.key
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Monday, April 12, 2010 6:00 PM To: Lynn York Cc: openldap-technical@openldap.org Subject: RE: Problem with SSL/TLS
--On Monday, April 12, 2010 2:20 PM -0400 Lynn York lynn.york@mavenwire.com wrote:
TLS certificate verification: depth: 0, err: 18, subject: /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire,
LLC/OU=Support/CN=testing.com/emailAddress=mw-hosting-sysadmin@testing.co
m, issuer: /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire,
LLC/OU=Support/CN=testing.com/emailAddress=mw-hosting-sysadmin@testing.com
TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B
The above error seems very clear to me. The CA for the offered cert is unknown. Either your CA path for OpenLDAP is wrong in your OpenLDAP ldap.conf file (which is set via the TLS_CACERT or TLS_CACERTDIR variables), or you've pointed at the wrong one, etc.
As has been noted numerous times to you so far /etc/ldap.conf is not the place you set these variables. You fail to show your /etc/ldap/ldap.conf (assuming that's the location of it) settings.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
--On Monday, April 12, 2010 6:13 PM -0400 Lynn York lynn.york@mavenwire.com wrote:
Here is my /etc/openldap/ldap.conf:
uri ldaps://localhost base cn=users,dc=testing,dc=com tls_cacert /etc/openldap/cacerts/ca.key tls_cacertdir /etc/openldap/cacerts tls_reqcert allow
You specify *one* of the two options (Either TLS_CACERT or TLS_CACERTDIR). Not both. If you are specifying the file, then it needs to be the cert, not the key.
TLS: could not load verify locations (file:`/etc/openldap/cacerts/ca.key',dir:`/etc/openldap/cacerts').
However, the certs and key's to exist..
ls -al /etc/openldap/cacerts/ total 44 drwxr-xr-x 3 ldap ldap 4096 Apr 12 13:48 . drwxr-xr-x 4 ldap ldap 4096 Apr 12 18:09 .. drwxr-xr-x 2 ldap ldap 4096 Apr 12 13:45 backup -rw-r--r-- 1 ldap ldap 1805 Apr 12 13:46 ca.cert -rw-r--r-- 1 ldap ldap 1679 Apr 12 13:46 ca.key
What about the permissions on /etc/openldap and /etc/openldap/cacerts?
I.e., if you su - ldap, can you actually read /etc/openldap/cacerts/ca.cert?
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Wow.. I feel like a complete idiot... I got it working by changing to the cert instead of the key. Thanks very much to all who helped.
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Monday, April 12, 2010 6:26 PM To: Lynn York Cc: openldap-technical@openldap.org Subject: RE: Problem with SSL/TLS
--On Monday, April 12, 2010 6:13 PM -0400 Lynn York lynn.york@mavenwire.com wrote:
Here is my /etc/openldap/ldap.conf:
uri ldaps://localhost base cn=users,dc=testing,dc=com tls_cacert /etc/openldap/cacerts/ca.key tls_cacertdir /etc/openldap/cacerts tls_reqcert allow
You specify *one* of the two options (Either TLS_CACERT or TLS_CACERTDIR).
Not both. If you are specifying the file, then it needs to be the cert, not the key.
TLS: could not load verify locations (file:`/etc/openldap/cacerts/ca.key',dir:`/etc/openldap/cacerts').
However, the certs and key's to exist..
ls -al /etc/openldap/cacerts/ total 44 drwxr-xr-x 3 ldap ldap 4096 Apr 12 13:48 . drwxr-xr-x 4 ldap ldap 4096 Apr 12 18:09 .. drwxr-xr-x 2 ldap ldap 4096 Apr 12 13:45 backup -rw-r--r-- 1 ldap ldap 1805 Apr 12 13:46 ca.cert -rw-r--r-- 1 ldap ldap 1679 Apr 12 13:46 ca.key
What about the permissions on /etc/openldap and /etc/openldap/cacerts?
I.e., if you su - ldap, can you actually read /etc/openldap/cacerts/ca.cert?
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
openldap-technical@openldap.org
-
Chris Jacobs -
Howard Chu -
Lynn York -
Quanah Gibson-Mount