Hi, Did you provide FQDN e.g server1.example.com to the common name section ? while creating the certificate ?
Hope the permission of the files are are also correct. Regards, Neo On Fri, Sep 16, 2011 at 9:57 AM, vijay s sheelavantar < [email protected]> wrote: > Hi, > I am trying to configure LDAP Client/server on 2 Fedora-10 linux machines. > > I have installed and configured openldap-2.4.26 server on one machine and > pam_ldap-186, nss_ldap-265 on the other machines. > > I have created the TLS certificates using following command on the server. > > openssl req -newkey rsa:1024 -x509 -nodes -out \ server.pem -keyout > server.pem -days 3650 > > and I have created the client.pem by copying CERTIFICATE portion of the > server.pem. > > When my client try to connect to the server I get following errors. > > *TLS trace: SSL3 alert read:fatal:unknown CA > TLS trace: SSL_accept:failed in SSLv3 read client certificate A > TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert > unknown ca. > connection_read(12): TLS accept failure error=-1 id=1012, closing > connection_closing: readying conn=1012 sd=12 for close > connection_close: conn=1012 sd=12 > daemon: removing 12 > conn=1012 fd=12 closed (TLS negotiation failure) > * > My Configurations are as follows. > > slapd.conf > > access to attrs=userPassword > by self write > by anonymous auth > by * none > > access to * > by * read > > #TLS Certificate section > TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA > TLSCACertificateFile /etc/openldap/cacerts/server.pem > TLSCertificateFile /etc/openldap/cacerts/server.pem > TLSCertificateKeyFile /etc/openldap/cacerts/server.pem > TLSVerifyClient allow > > and client side ldap.conf > > base dc=samsung,dc=com > uri ldaps://10.254.204.181/ > TLS_CACERT /etc/openldap/cacerts/client.pem > pam_password md5 > > nsswitch.conf > > passwd: files ldap > shadow: files ldap > group: files ldap > > netgroup: files ldap > automount: files ldap > > I am not getting why it is saying Unknown ca. even though the certificate > is created on server machine itself. > > Kindly help me to solve this problem. > > <http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle?> > Treat yourself at a restaurant, spa, resort and much more with *Rediff > Deal ho > jaye!<http://track.rediff.com/click?url=___http://dealhojaye.rediff.com?sc_cid=mailsignature___&cmp=signature&lnk=rediffmailsignature&newservice=deals> > *
