--On November 19, 2007 5:34:14 PM -0800 "Keagle, Chuck"
<[EMAIL PROTECTED]> wrote:
System in SLES 9.3 running openldap 2.3.39
I tried to create the x509 hash and it still failed the same way.
Here are the entries in slapd.conf (all in global section):
TLSCertificateFile /etc/ssl/servercerts/servercert.pem
TLSCertificateKeyFile /etc/ssl/servercerts/serverkey.pem
TLSCACertificatePath /etc/ssl/certs/
TLSCACertificateFile /etc/openldap/ldapServer.crt
TLSCACertificateKeyFile /etc/openldap/ldapServer.key
Pick one, or the other, format. Do not use both. I suggest the
TLSCACertificatePath method with a hash. It is the only thing that has
worked consistently for me (appears to be an openssl issue).
It fails exactly the same way:
# ldapsearch -x -Z -H ldap://testsvr.blv.boeing.com -b "" -s base
'objectclass=*' '+' '*'
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldap_result: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Did you ever set up ldap.conf/.ldaprc as I noted, with the pointers to the
CA cert and hash, as I noted was required? Also, the pem file for the CA
cert does not need to contain the key. Probably better for it not to,
really.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
