c0re <[email protected]> writes: > Sorry, forgot to mention that I've tested that certificates are OK. > > # starting slapd > > /usr/local/libexec/slapd -u ldap -d 1 -h ldaps:/// > > # making test: > > openssl s_client -connect 127.0.0.1:636 -CAfile > /usr/local/etc/openldap/ssl-client/root.crt -showcerts > > # output of test in openssl command: [...] > Certificate chain > 0 s:/C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com > i:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com > -----BEGIN CERTIFICATE----- > <certificate> > ..... > </certificate> > -----END CERTIFICATE----- > 1 s:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com > i:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com > -----BEGIN CERTIFICATE----- > <certificate> > ..... > </certificate> > -----END CERTIFICATE----- > --- > Server certificate > subject=/C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com > issuer=/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com > --- > No client certificate CA names sent > --- > SSL handshake has read 1811 bytes and written 462 bytes > --- [...] > Verify return code: 0 (ok) [...]
Ther are no errors in certificate chain and the server cert has been veryfied, so the certificate chain is OK. Please check all relevant configuration files that is /etc/openldap/ldap.conf, /etc/ldap.conf and probably ~/.ldaprc for any TLS configuration. -Dieter -- Dieter Klünter | Systemberatung sip: [email protected] http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
