I'm replying in misc@ since it affects other people as well.
For freeradius (freeradius-2.2.10p1) and ldap communication I had to
also set
require_cert = "allow"
It didn't respect the setting of /etc/openldap/ldap.conf
Maybe it's now linked against local ldap library and not openldap's ?
G
On 22/12/2020 16:59, Kostya Berger wrote:
Wow, I seem to have the same problem with Freeradius. Fails to connect
with the same error: unable to get local issuer certificate. And that
with certificates that work FINE with exactly the same version of
Freeradius in FreeBSD.
And yes, no additional setting seem to help this.
With kindest regards,
Kostya Berger
On Tuesday, 22 December 2020, 17:52:48 GMT+3, Kapetanakis Giannis
<bil...@edu.physics.uoc.gr> wrote:
Hi,
After upgrading to 6.8-release I can no longer connect to my ldap
server with openldap and SSL/TLS.
I'm using a self signed root CA to sign LDAP server's certificate.
/etc/openldap/ldap.conf has:
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT demand
# /usr/local/bin/ldapsearch -d9 -x (openldap client)
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx,
issuer: /CN=xxx
TLS certificate verification: Error, unable to get local issuer
certificate
TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx,
issuer: /CN=xxx
TLS certificate verification: Error, unable to get local issuer
certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14007086:SSL
routines:CONNECT_CR_CERT:certificate verify failed (unable to get
local issuer certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Even setting TLS_CACERT does not fix it, only making
TLS_REQCERT never
TLS_CACERTDIR has pem certificates and links with them with hashes
ktrace does not show any reads on TLS_CACERTDIR
bbbf0019.0@ -> My_ROOT_CA.asc
My_ROOT_CA.asc@ -> My_ROOT_CA.pem
Apparently this also breaks freeradius which seems logical.
Thanks,
G
