>>> >> can you test 'host' => 'ldaps://ldap.antagonism.org' setting?
>>> I tried this setting and received the same error message. I even tried
> this setting with port 389 and protocol 3 to see if TLS would start and
> still received the same error.
>>
>> TLS on 389 is not SSL on 636. The fact that Evo does TLS has NOTHING to
> do with SSL on port 636. Because Evo really does use TLS on port 389.
>
> Does Squirrelmail support TLS?
>>
>> So what do you have? You probably have LDAP (slapd?) running on port 389
> and not 636. If you want it to start on 636 too, you have to modify
> /etc/rdc.d/init.d/ldap or whatever your startup directory is, to include
> it.
>
> netstat -an shows both 389 and 636 are listening. I also verified in my
> start script that is calling ldap:/// and ldaps:///.
>
>> Your certs are obviously O.k.
>>
>> For example, I have (Red Hat RHAS3) for MY OWN (you don't have to do
> this, you adapt your own) startup:
>>
>> daemon ${slapd} -u ldap -h '"ldap://tru.leerlingen/
>> ldaps://tru.leerlingen/
>> ldapi://%2Fusr%2Flocal%2Fvar%2Fslapd%2Fldapi/????x-mod=0777"' $OPTIONS
> $SLAPD_OPTIONS
>>
>> The thing is, that I start up ldaps. See it?
>
>> To see whether you do too, do: 'openssl s_client - connect
>> whateverIPaddressyourLDAPserverisrunning on:636'.
>>
>> If it don't work (i.e. "Connection refused") you are not running an LDAP
> daemon on that port..
>>
>> Run one then ;)
>
> I am receiving a return code 18 (self signed certificate), which I believe
> means that it is correctly receiving my cert.
>
> I believe I have an error in my ldap configuration. When I attempt to run
> the following command
>
> ldapsearch -x -b 'ou=addressbook,dc=antagonism,dc=org' '(objectclass=*)'
> -H ldap://ldap.antagonism.org:389 -ZZ
>
> I receive
>
> ldap_bind: Can't contact LDAP server (-1)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certifcate verify failed.
>
> I am taking this error and searching through Google for answer. Thank you
> very much for your assistance. It is greatly appreciated.slapd will fail to start if you have incorrectly generated cert. php will fail to start ssl, when you use different host name to connect to ssl enabled server. ldap client libraries (/etc/ldap/ldap.conf) need CA certificates that they can trust. when you generate certificate for yourself and don't want to pay for signing it, you can create own ssl certification authority and sign your sertificate with its cert. Currently squirrelmail address book uses SSL when ldap_connect address uses ldaps:// prefix. We don't use ldap_start_tls() function in address books. LDAP test script is attached. -- Tomas
test-ldap.php
Description: application/php
