Wow.. I feel like a complete idiot... I got it working by changing to the cert instead of the key. Thanks very much to all who helped.
-----Original Message----- From: Quanah Gibson-Mount [mailto:[email protected]] Sent: Monday, April 12, 2010 6:26 PM To: Lynn York Cc: [email protected] Subject: RE: Problem with SSL/TLS --On Monday, April 12, 2010 6:13 PM -0400 Lynn York <[email protected]> wrote: > Here is my /etc/openldap/ldap.conf: > > uri ldaps://localhost > base cn=users,dc=testing,dc=com > tls_cacert /etc/openldap/cacerts/ca.key > tls_cacertdir /etc/openldap/cacerts > tls_reqcert allow You specify *one* of the two options (Either TLS_CACERT or TLS_CACERTDIR). Not both. If you are specifying the file, then it needs to be the cert, not the key. > TLS: could not load verify locations > (file:`/etc/openldap/cacerts/ca.key',dir:`/etc/openldap/cacerts'). > However, the certs and key's to exist.. > > ls -al /etc/openldap/cacerts/ > total 44 > drwxr-xr-x 3 ldap ldap 4096 Apr 12 13:48 . > drwxr-xr-x 4 ldap ldap 4096 Apr 12 18:09 .. > drwxr-xr-x 2 ldap ldap 4096 Apr 12 13:45 backup > -rw-r--r-- 1 ldap ldap 1805 Apr 12 13:46 ca.cert > -rw-r--r-- 1 ldap ldap 1679 Apr 12 13:46 ca.key What about the permissions on /etc/openldap and /etc/openldap/cacerts? I.e., if you su - ldap, can you actually read /etc/openldap/cacerts/ca.cert? --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration MavenWire - We DELIVER http://www.mavenwire.com This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
