Am Donnerstag, 9. Juli 2009 schrieb Rick Stevens:
> I know this has been hashed over before, but I simply cannot get my
> LDAP clients to talk TLS/SSL to my LDAP server. I keep getting
>
> TLS certificate verification: Error, self signed certificate in
> certificate chain
>
> errors. A standard "openssl s_client" test works fine, but a client
> such as ldapsearch simply refuses to cooperate. I have the
> "tls_cacertdir" set to point at a directory that has a copy of every
> certificate I've created and it still won't work.
>
> The certificates were created based on the instructions at:
>
> http://www.openldap.org/faq/data/cache/185.html
>
> as specified in the admin manual. I'm the first to admin I'm not an
> SSL guy, but this has got me stumped! I'll be happy to provide
> whatever bits of the various config files you need.
So, you have created your certs with openssl. Are your ldap binaries
linked against openssl or gnutls libraries?
ldd $(which ldapsearch)
libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7e34000)
This openldap installation is linked against gnutls!
If your openldap installation also uses gnutls, then you MUST reorder
the certificates.
Openssl certs begins with the top-level cert (normaly the ca), gnutls
certs ends with the ca-cert :-( .
>
> Help me Obi-Wan Kenobi!
> ---------------------------------------------------------------------
>- - Rick Stevens, Unix Geek [email protected]
> - -
> - - Treat each day as if it's your last...a lot of crying and
> whining - - usually gets you what you want! -- Sam
> Sledge -
> ---------------------------------------------------------------------
>-
--
Gruss
Harry Jede
