Karsten Römke <[EMAIL PROTECTED]> writes: > Dieter Kluenter schrieb: >> Hi, >> >> Karsten Römke <[EMAIL PROTECTED]> writes: >> >>> Dieter Kluenter schrieb: >>>> Hi, >> >>> Hi, >>> I have done: >>> oracle:/etc/openldap # openssl x509 -in servercrt.pem -text > servercrt.txt >>> oracle:/etc/openldap # openssl x509 -in cacert.pem -text > cacert.txt >>> and here are parts out of this files: >>> oracle:/etc/openldap # grep -i keyid servercrt.txt >>> >>> keyid:90:4F:E9:05:AA:38:FC:D9:21:45:B0:BD:A5:2E:B3:5B:E9:59:38:AF >>> oracle:/etc/openldap # grep -i keyid cacert.txt >>> >>> keyid:90:4F:E9:05:AA:38:FC:D9:21:45:B0:BD:A5:2E:B3:5B:E9:59:38:AF >>> I assume that this keyids must be the same? >> >> Yes. >> >> [...] >>> Sorry, I don't understand that. Now I tried only from >>> the server oracle.hhb.bonn.de with the command >>> ldapsearch -h oracle.hhb.bonn.de -b "dc=hhb,dc=bonn,dc=de" -D >>> "cn=manager,dc=hhb,dc=bonn,dc=de" -x -W -ZZ -d1 >>> and the following entries in /etc/openldap/ldap.conf >>> ------------# >>> # LDAP Defaults >>> # >>> >>> # See ldap.conf(5) for details >>> # This file should be world readable but not world writable. >>> >>> #BASE dc=example, dc=com >>> #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 >>> >>> #SIZELIMIT 12 >>> #TIMELIMIT 15 >>> #DEREF never >>> TLS_REQCERT allow >>> ssl start_tls >>> host oracle.hhb.bonn.de >>> base dc=hhb,dc=bonn,dc=de >>> TLS_CACERT /etc/openldap/cacert.pem >>> ---------------------- >> >> Is your cacert.pem world readable? > yes >> >>> again: no success with tls: [...]
> write(2, "ldap_start_tls: Connect error (-"..., 36) = 36 > write(2, "\tadditional info: error:14077410"..., 99) = 99 > exit_group(1) I am still convinced that there is a certificate mismatch, try the following openssl verify -CAfile /path/to/cacert.pem \ -purpose sslserver /path/to/servercert.pem A successful verification will look like openssl verify -CAfile kluenterCA.pem -purpose sslserver ldapcert.pem ldapcert.pem: OK A certificate mismatch will look like openssl verify -CAfile kluenterCA.pem -purpose sslserver rubincert.pem rubincert.pem: /C=DE/L=Hamburg/O=AVCI/OU=Administration/CN=rubin.l4b.de error 20 at 0 depth lookup:unable to get local issuer certificate -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6 --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
