Keagle, Chuck wrote:
I have yet to even change the error messages when trying:
# ldapsearch -x -Z -H ldap://testsvr.blv.boeing.com -b "" -s base
'objectclass=*' '+' '*'
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldap_result: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Can anyone point out what I have missed here?
Probably about 2 years sysadmin experience. You ought to use something like
RCS or CVS to manage your config files. (Yes, despite all the wonders of
distributed revision control systems, there's still a place in the world for
RCS.) You've clearly made so many changes you've totally confused yourself.
You cannot possibly administer a system successfully, making such haphazard
changes with no logging or rollback capability.
***********************************
Here is /etc/openldap/slapd.conf
You cannot use TLS without the TLSCertificateFile and TLSCertificateKeyFile
settings. You probably should not use both TLSCACertificatePath and
TLSCACertificateFile. In general, you should not use TLSCACertificatePath; it
can lead to strange out-of-resource problems at unpredictable times.
I think you need to re-read the documentation on how to use TLS.
#CBK Comment out TLSCertificateFile and TLSCertificatekeyFile here.
# Also, force encryption
#CBK end
#TLSCertificateFile /etc/ssl/servercerts/servercert.pem
TLSCACertificatePath /etc/ssl/certs/
TLSCACertificateFile /etc/ssl/certs/ldapServer.pem
#TLSCertificateKeyFile /etc/ssl/servercerts/serverkey.pem
TLSCiphersuite HIGH
security ssf=128
#CBK added for local use on SuSE 9.3
#TLSCACertificateFile /etc/openldap/cacert.pem
#TLSCACertificateKeyFile /etc/openldap/ldapServer.key
#######################################################################
# bdb database definitions
#######################################################################
#####
# Database Configuration Parameters
#####
#TLSCertificateFile /etc/openldap/servercert.pem
#TLSCertificateKeyFile /etc/openldap/serverkey.pem
database bdb
***********************************
Here is /etc/openldap/ldap.conf
$ cat ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#CBK Uncommented and set BASE and URI for local environment
BASE dc=blv,dc=boeing, dc=com
URI ldaps://testsvr.blv.boeing.com
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT allow
#CBK Added for self-signed certificate
HOST testsvr.blv.boeing.com
TLS_CACERT /etc/ssl/certs/ldapServer.pem
Here are the ldap log entries when loglevel = -1
As I've said time and time again, syslog is utterly useless for debugging.
Read the docs and use *the debug flag* when chasing problems. That's what it's
there for.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
