Hi Daisy, -- create an environment variable LDAPCONF <DAISY>: Question, what value is this environment variable set to? Does OpenSSL or OpenLDAP use this env variable?
> You should set the environment variable LDAPCONF to the location of your ldap > configuration file. In my case, I called the file ldap_ssl_cert_config and I placed it in my home directory. So you would then run: export LDAPCONF = /home/ven/ldap_ssl_cert_config Alternately, you could also have a .ldaprc file in your home directory instead of setting this variable. -- create a file called ldap_ssl_cert_config and placed the following line in it: TLS_CACERTDIR /etc/pki/tls <DAISY>: Question, in what directory should I create this file? How is this file “ldap_ssl_cert_config” file used? How does OpenLDAP client know what file to look for, in which directory? > Sorry, I should have explained this better. The environment variable LDAPCONF > must point to the location of this file as shown above. Create it in any text editor and place the line TLS_CACERTDIR <path to root cert bundle> within this file. The OpenLDAP libraries will either look for the environment variable LDAPCONF or for a .ldaprc file in your home directory. And /etc/pki/tls does not exist in my file system. What is this “/etc/pki/tls” anyway? > TLS_CACERTDIR specifies the location of the SSL certificates root bundle of > your OpenSSL installation. In Red Hat Enterprise Linux, this bundle is located in /etc/pki/tls. What OS are you using? It will depend on that and your OpenSSL installation. Also, see this for more detailed info: http://linux.die.net/man/5/ldap.conf cheers, Ven From: Mahadevan, Venkatasubramanian [mailto:[email protected]] Sent: Tuesday, August 30, 2011 6:25 PM To: Wu, Daisy; [email protected] Subject: RE: OpenLDAP client test program connecting to LDAP server over SSL failed > It failed because of this error: ldap_sasl_bind_s: Can't contact LDAP server > (-1) error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate > verify failed Hi Daisy, I have noticed that sometimes depending on the version of OpenSSL you are linking the LDAP libraries to, it will throw this error. So what I did was: -- create an environment variable LDAPCONF -- create a file called ldap_ssl_cert_config and placed the following line in it: TLS_CACERTDIR /etc/pki/tls -- ran my program Then it worked and I did not get the error anymore. Hope this helps. cheers, Ven
