[Ryan Tandy] > It looks like it's possible using gnutls-cli >= 3.5.0. > > gnutls-cli -p 389 --x509cafile /etc/ldap/certs/ca.crt > --starttls-proto=ldap --save-cert=ldap.example.org.crt > ldap.example.org < /dev/null
Seem to work like a charm here: % gnutls-cli -p 389 --x509cafile /etc/ldap/certs/ca.crt \ --starttls-proto=ldap --save-cert=ldap.example.org.crt \ 192.168.1.16 < /dev/null Error setting the x509 trust file Resolving '192.168.1.16:389'... Connecting to '192.168.1.16:389'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `EMAIL=postmaster@postoffice.intern,CN=tjener.intern,OU=Automatically-generated LDAP SSL key,O=LDAP server,L=Skolen,ST=NA,C=NO', issuer `EMAIL=postmaster@postoffice.intern,CN=tjener.intern,OU=Automatically-generated LDAP SSL key,O=LDAP server,L=Skolen,ST=NA,C=NO', serial 0x00cbe2455339cab094, RSA key 1024 bits, signed using RSA-SHA1, activated `2012-02-02 17:24:28 UTC', expires `2022-01-30 17:24:28 UTC', key-ID `sha256:9885ac708688fa6fe941371a32ecdec6891a428647932e72ae9b01bc0075420a' Public Key ID: sha1:995429e2f6e72af62e353d864e8c276249ad0c25 sha256:9885ac708688fa6fe941371a32ecdec6891a428647932e72ae9b01bc0075420a Public key's random art: +--[ RSA 1024]----+ | .. | | E . . ... | | o o ... | | . . +. o | | + + +So | | * o O = | | . . * = . | | + . . | | . =+. | +-----------------+ - Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** handshake has failed: Error in the certificate. % diff -ur ~/ldap.example.org.crt /etc/ldap/ssl/ldap-server-pubkey.pem % I guess this mean we can change /etc/init.d/fetch-ldap-cert and stop editing /etc/default/slapd. -- Happy hacking Petter Reinholdtsen