At 08:45 AM 9/4/2005, Peter Marschall wrote: >AFAIK this is expected behaviour as you cannot use a self-signed server >certificate with openLDAP.
Have you examined the certificate at ldap.openldap.org? It's a self-signed certificate. >OpenLDAP expects you to use a server certificate that is different from the >certificate of the issueing CA. Incorrect. You simply need to configure the client to accept the server's certificate as valid by setting the CA file to a copy of the server's certificate. Of course, it generally recommended that server certificates should be signed by a separate CA certificate. Expecting the actually configuration directives (see ldap.conf(5)), none of this is actually specific to OpenLDAP (as evident from the following): % openssl s_client -host ldap.openldap.org -port 636 > ! openldap.cert ... verify error:num=18:self signed certificate verify return:1 ... [CTRL-D] % openssl s_client -host ldap.openldap.org -port 636 -CAfile openldap.cert ... Verify return code: 0 (ok) [CTRL-D] Kurt
