Hi,

The "is not readable by "ldap"" error happens when i start ldap using /etc/rc.d/init.d/ldap restart These three lines are the source of the problem, if i remove them then no warning message on restart.

TLSCACertificateFile  server.pem TLSCertificateFile            server.pem TLSCertificateKeyFile server.pem

I have moved this file to /etc/openldap/cacerts and changed the above three path accordingly. I have also modified ldap.conf to have TLS_CACERT which allows me to do ldapsearch(before it was giving ssl verify problem)now with ldaps://localhost on the same sytem.

I still get this when i restart the ldap server using /etc/rc.d/init.d/ldap restart, notice the er.pem after ldap - is it not picking up the path. correctly or its a harmless warning now that ldaps is working i think it is harmless.

is not readable by "ldap"er.pem                      [WARNING] is not readable by "ldap"er.pem                               [WARNING] is not readable by "ldap"er.pem                                 [WARNING] Checking configuration files for slapd:                    [  OK  ] Starting slapd:                                            [  OK  ]

------------------------------------------------ Problem on windows: pLdapConnection = ldap_sslinit(pHost,LDAP_SSL_PORT, 1); // fine - connecting to 636  iRtn = ldap_set_option(pLdapConnection,                               LDAP_OPT_PROTOCOL_VERSION,                               (void*)&version);  //fine

long option;    printf("Checking if SSL is enabled\n");    iRtn = ldap_get_option(pLdapConnection,LDAP_OPT_SSL,(void*)&option);

Here i get returned 0 in option meaning ssl is disabled.

Also if i connect afterwards, i get 0x51(Cannot contact the LDAP server) connectSuccess = ldap_connect(pLdapConnection, NULL);

How can i use ssl based openldap authentication on windows client? Do i have to move the self signed server.pem to windows, i tried to add it to certificate store by changing server.pem to server.cer?

Regards, rui

On Wed, Jan 5, 2011 at 8:12 AM, Dieter Kluenter dieter@dkluenter.de wrote:

...

Am Tue, 4 Jan 2011 16:52:06 +0000 schrieb rui guideveloper@gmail.com:

...

Hi

I am trying to enable tls based session with openldap from a client. I created a self signed certificate based on command from http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.1 My server.pem file is in /etc/openldap directory where slapd.conf is located.

This document is not recommended

...

Here are further settings in my slapd.conf TLSCACertificateFile  server.pem TLSCertificateFile            server.pem TLSCertificateKeyFile server.pem

TLSVerifyClient               never

When I restart the ldap, it gives me the following warnings.  is not readable by "ldap"                                 [WARNING]  is not readable by "ldap"                                 [WARNING]  is not readable by "ldap"                                 [WARNING] Checking configuration files for slapd:                    [  OK  ] Starting slapd:                                            [  OK  ]

This are not slapd warnings, what is the sosurce of this result report?

...

I have checked the ps output and it is started as: ldap      6883     1  0 16:18 ?        00:00:00 /usr/sbin/slapd -u ldap -h ldap:/// ldaps:///

AND netstat -anp | grep slapd tcp        0      0 0.0.0.0:389                 0.0.0.0:*      LISTEN      7850/slapd tcp        0      0 0.0.0.0:636                 0.0.0.0:*      LISTEN      7850/slapd tcp        0      0 ip:389               ip:43165 ESTABLISHED 7850/slapd tcp        0      0 :::389                      :::*      LISTEN      7850/slapd tcp        0      0 :::636                      :::*      LISTEN      7850/slapd unix  2      [ ]         DGRAM                    302231743 7850/slapd

And what is your problem? slapd is listening on ports 389 and 636

-Dieter

-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E