Philip Guenther wrote: > On Wed, 21 Nov 2007, Keagle, Chuck wrote: >> I have yet to even change the error messages when trying: >> >> # ldapsearch -x -Z -H ldap://testsvr.blv.boeing.com -b "" -s base >> 'objectclass=*' '+' '*' >> ldap_start_tls: Connect error (-11) >> additional info: error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > Looks to me like slapd is sending its cert, but either > 1) it doesn't match the hostname in the URI (testsvr.blv.boeing.com), or > 2) none of the CAs 'above' it are in the set of CAs trusted to ldapsearch. > > So, what's the output of > openssl x509 -text -noout -in /path/to/servers/cert/here.pem
I'd recommend to also configure LDAPS on separate port 636 by starting with slapd -H "ldap://... ldaps://..." and then use command openssl s_client with either command-line option -CApath or -CAfile to check whether everything is in place at the SSL/TLS level. openssl s_client gives you nice debug log right to the console. If everything's working then startTLS ext. op. should also work. Ciao, Michael. -- Michael Ströder E-Mail: [EMAIL PROTECTED] http://www.stroeder.com
