Discussion:
ssl not working with ldapsearch
Xavier Poirier
2004-02-25 14:59:06 UTC
Permalink
Hi,

Here is my problem:
I have setup OpenLdap with SSL (following the Doc. and recomandations)
I can connect to the server using SSL and the JAVA app. : "LDAP
Browser\Editor 2.8.2" it's ok.
But installing "lam" (lam.sourceforge.net) I cannot connect into a SSL
mode (standard port 389 works), so next I tryed the ldapsearch command
(like in the docs.) but it gives me this error (in the log trace):

TLS error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:1052

and the result of ldapsearch is :

ldap_bind: Can' t contact LDAP server (81)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Why OpenLdap cannot get the server_certificate in this case ??
May have done somthing wrong ...
... but what ?

If anyone can help me.
thanks

Xavier


--------------------------------------------------------------------
Ce courriel est envoyé au travers de l' interface IMP: ch-bourg01.fr
Ce message a été passé automatiquement à l' antivirus
This email have been sent through Imap Mail Program: ch-bourg01.fr
This message have been scanned with an antivirus scanner
Jon Roberts
2004-02-25 16:19:31 UTC
Permalink
Post by Xavier Poirier
ldap_bind: Can' t contact LDAP server (81)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Why OpenLdap cannot get the server_certificate in this case ??
It probably gets the server cert fine, but can't get the CA cert. This
is to be expected if you created your own CA. Try the ldapsearch again
after adding the line:

TLS_REQCERT never

to your (applicable) ldap.conf file.

Jon Roberts
www.mentata.com
Jon Roberts
2004-02-25 16:46:08 UTC
Permalink
Post by Jon Roberts
It probably gets the server cert fine, but can't get the CA cert. This
is to be expected if you created your own CA. Try the ldapsearch again
TLS_REQCERT never
to your (applicable) ldap.conf file.
Actually, I realized my mistake after sending this out. You can try
this, but you probably don't want this line in your ldap.conf file
ordinarily. More appropriate would be to add a line that defines your CA
cert file:

TLS_CACERT /path/to/your/cacert

Sorry.

Jon
Xavier Poirier
2004-03-01 09:20:54 UTC
Permalink
En réponse à Jon Roberts <***@mentata.com>:

Hi,

Yes,

This is what I have done before , putting :
TLS_CACERT /path/to/my/cacert.pem into ldap.conf
but it still doesn' t work with "lam"

something I missed, sure ...

Xavier
Post by Jon Roberts
Post by Jon Roberts
It probably gets the server cert fine, but can't get the CA
cert. This
Post by Jon Roberts
is to be expected if you created your own CA. Try the
ldapsearch again
Post by Jon Roberts
TLS_REQCERT never
to your (applicable) ldap.conf file.
Actually, I realized my mistake after sending this out. You
can try
this, but you probably don't want this line in your ldap.conf
file
ordinarily. More appropriate would be to add a line that
defines your CA
TLS_CACERT /path/to/your/cacert
Sorry.
Jon
--------------------------------------------------------------------
Ce courriel est envoyé au travers de l' interface IMP: ch-bourg01.fr
Ce message a été passé automatiquement à l' antivirus
This email have been sent through Imap Mail Program: ch-bourg01.fr
This message have been scanned with an antivirus scanner

Loading...