I ran into this problem about a year ago. It took me about 3 months to resolve. The code isn't broken, it works. All these guys are telling you the detail, and detail is important. But.... My problem was resolved, when I understood the concept: Ca-self signed certificate [ or just a certificate ] Read through how that is supposed to work logically: I sat down with another sys admin and I explained it to him, and then looked at what I had done [actually that forced me to look at what I had done]. I had not done, what I had explained had to be done. Well that was stupid, but it was easy to fix.
The self signed certificate doc is at WWW.openladap.org/faq/data/cache/185.html You might want to review it from a logical stand point, and understand what the objective is. Then it's easy to setup. Sometimes it's not the razor, Sometimes it's your face. Hope that clears up [well, not your face, just...] the problem. I am sure your face was excellent to begin with. tob On 10/15/12 1:11 PM, "Aaron Richton" <[email protected]> wrote: > On Mon, 15 Oct 2012, Darouichi, Aziz wrote: > >> This is the link I followed to create the CA and sigh it >> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#7.0 > > Did you read the "Note" at the top of that paper? Worth considering... > >> if I run cert check from client using the following >> openssl s_client -connect ldap-ssl.curry.edu:636 -CApath >> /opt/local/etc/openldap/caert.pem > > 1. Again, did you really make a directory named "caert.pem"? Because if > that's a file, I believe that should be -CAfile instead. (Same as I said > that your TLS_CACERTDIR should probably be a TLS_CACERT ldap.conf > directive.) > > 2. In your previous example it was "cacert.pem" but now I see "caert.pem". > Whatever's actually on your filesystem -- make sure that you're using it, > typo-free. It's unlikely that they're both correct. > > > Providing us the output of: > > "ls -ld /opt/local/etc/openldap/caert.pem /opt/local/etc/openldap/cacert.pem" > > might be helpful if this isn't clear. >
