>>> Nat Sincheler <fai1107(a)macrotex.net&gt; schrieb am 25.07.2016 um 19:06 in Nachricht <c19c2a3a-3c90-5baa-43c7-800b050ea5b7(a)macrotex.net&gt;: > We have an OpenLDAP server that is listening on port 636 over ldaps. > When I run > > openssl s_client -showcerts -connect ldap-server:636 > > I only see the host certificate. The intermediate and root certificates > do *not* come through. If I di that on one of outr servers, I get: Root CA Intermediate CA Server Certificate ... New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit > > For this server I have in the file slapd.d/cn=config.ldif the setting > > olcTLSCACertificatePath: /etc/ssl/certs Hi! Here it works with these settings: olcTLSCACertificatePath: /etc/ssl/certs olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key Could it be a permissions problem? Did you try to check the certificate chain with openssl (preferrable as LDAP user)?

Regards, Ulrich > > I checked and all the intermediate and root certificates are in > /etc/ssl/certs soft-linked via the usual OpenSSL rehash hash, e.g., > > lrwxrwxrwx 1 root root 42 Jul 14 19:03 b4261fc2.0 -> > /etc/ssl/certs/incommon-usertrust-2024.pem > > Any idea why the intermediate and root certificates do not get sent to > the LDAPS client? Is there something in the LDAP log that might give me > a clue as to what is going on?

>>> Nat Sincheler <fai1107(a)macrotex.net&gt; schrieb am 26.07.2016 um 17:20 in Nachricht <991f77f9-fd05-eb9b-7f07-f350c4a7bc68(a)macrotex.net&gt;: > > On 7/25/2016 11:24 PM, Ulrich Windl wrote: >>>>> Nat Sincheler <fai1107(a)macrotex.net&gt; schrieb am 25.07.2016 um 19:06 in >> Nachricht <c19c2a3a-3c90-5baa-43c7-800b050ea5b7(a)macrotex.net&gt;: >>> We have an OpenLDAP server that is listening on port 636 over ldaps. >>> When I run >>> >>> openssl s_client -showcerts -connect ldap-server:636 >>> >>> I only see the host certificate. The intermediate and root certificates >>> do *not* come through. >> >> If I di that on one of outr servers, I get: >> Root CA >> Intermediate CA >> Server Certificate >> >> ... >> New, TLSv1/SSLv3, Cipher is AES256-SHA >> Server public key is 2048 bit >> >>> >>> For this server I have in the file slapd.d/cn=config.ldif the setting >>> >>> olcTLSCACertificatePath: /etc/ssl/certs >> >> Hi! >> >> Here it works with these settings: >> olcTLSCACertificatePath: /etc/ssl/certs >> olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem >> olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key >> >> Could it be a permissions problem? Did you try to check the certificate > chain with openssl (preferrable as LDAP user)? > > When I run the openssl s_client command I get no errors, but I also get > no intermediate or root certificates sent. I see this in the output: "No > client certificate CA names sent". Hi! To me it looks like a problem with your certificates. Try to verify them using openssl, like this: openssl verify -CApath /etc/ssl/certs -verbose /etc/ssl/servercerts/slapd.pem /etc/ssl/servercerts/slapd.pem: OK

Regards, Ulrich > > It appears that OpenLDAP is not sending the intermediate or root > certificates. > > However, if I put all the intermediate and root certificates into a > single file and point olcTLSCACertificateFile at this file, those > intermediate certificates _are_ sent. > > So, it appears that olcTLSCACertificateFile sends the certificates but > but olcTLSCACertificatePath does not. > > Am I misunderstanding the purpose olcTLSCACertificatePath? > > Thanks. > > >> >> Regards, >> Ulrich >> >>> >>> I checked and all the intermediate and root certificates are in >>> /etc/ssl/certs soft-linked via the usual OpenSSL rehash hash, e.g., >>> >>> lrwxrwxrwx 1 root root 42 Jul 14 19:03 b4261fc2.0 -> >>> /etc/ssl/certs/incommon-usertrust-2024.pem >>> >>> Any idea why the intermediate and root certificates do not get sent to >>> the LDAPS client? Is there something in the LDAP log that might give me >>> a clue as to what is going on? >> >> >> >>