Please check your ldap server. How it was started? Check the port number. port must be 636. Your apache might have the root-CA certificate which is validating your globalsign-domainssl.pem.
May be your client is failing to get the entire chain of certificates. Make sure that /etc/openldap/ldap.conf has the TLS_CACERTDIR clause where all the certificates are present. Use certificate-rehash utility to hash the certificates in the cert-directory. I used to start my server using command /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h ldaps:/// & And to search the user I use ldapsearch -x -H ldaps://ldapserverFQDN:636 -b "dc=my-domain,dc=com" "(&(uid=testadmin1)(objectClass=inetOrgPerson))" Thanks, Digambar Yashwant Sawant On Fri, Sep 12, 2008 at 4:51 PM, Michael Fischer <[EMAIL PROTECTED]>wrote: > hi, > > i hope this is the right list for my problem, if not sorry in advance. > > i want to configure slapd to use tls. i have a certifikate signed by > globalsign and the following lines in my slapd.conf: > > <snip> > TLSCipherSuite HIGH:MEDIUM:+SSLv2 > TLSCertificateFile /etc/postfix/certs/ldap.pem > TLSCertificateKeyFile /etc/postfix/certs/ldap.key > TLSCACertificateFile /etc/postfix/certs/globalsign-domainssl.pem > </snip> > > but when issuing a ldapsearch on another machine i still get an error: > <snip> > # ldapsearch -bdc=xxx,dc=at -Dcn=admin,dc=xxx,dc=at -hldap.xxx.at -p389 > -x -W -ZZ -d5 objectClass=* > ... > TLS trace: SSL_connect:before/connect initialization > TLS trace: SSL_connect:SSLv2/v3 write client hello A > TLS trace: SSL_connect:SSLv3 read server hello A > TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=GTE > Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global > Root, issuer: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, > Inc./CN=GTE CyberTrust Global Root > TLS certificate verification: Error, self signed certificate in > certificate chain > TLS trace: SSL3 alert write:fatal:unknown CA > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS: can't connect. > ldap_perror > ldap_start_tls: Connect error (-11) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > </snip> > > the same globalsign-certificates work well with my apache. > > any hints? > > lg, Michael Fischer > -- > email: [EMAIL PROTECTED] > web: http://www.webfischer.at > >
