On 01/29/2013 01:22 AM, Chris wrote:
Hi
I am running Openldap 2.4.23 on RHEL6. I can telnet to the server on
both 389 636 ports.
I can do a ldapsearch and ldapadd without any errors. I get this error
when I start the slapd daemon.
/ldap_start_tls_s() failed: Can't contact LDAP server: Transport
endpoint is not connected (uri="ldap://ldapserver";)//
//failed to bind to LDAP server ldap://ldapserver: Can't contact LDAP
server: Transport endpoint is not connected/
When I do a ldapsearch -x -d1 -Z -b 'dc=flamengro,dc=co,dc=za'
I get the following error
/TLS: certificate [//CA certificate details omitted here...] is not
valid - error -8172:Peer's certificate issuer has been marked as not
trusted by the user..//
//TLS: error: connect - force handshake failure: errno 0 - moznss
error -8172//
//TLS: can't connect: TLS error -8172:Peer's certificate issuer has
been marked as not trusted by the user..//
//ldap_err2string//
//ldap_start_tls: Connect error (-11)//
// additional info: TLS error -8172:Peer's certificate issuer has
been marked as not trusted by the user/
"Peer's certificate issuer has been marked as not trusted by the user" -
this means the issuer (the CA) that issued the certificate of the server
(the peer) is not trusted by the user (the ldapsearch client). This
usually means you have not told ldapsearch (via ldap.conf or .ldaprc)
about the CA cert of the the CA that issued the server cert.
Any help will be appreciated.
This is my slapd.conf file
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCipherSuite HIGH
TLSCertificateFile /etc/pki/tls/certs/slapdcert.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapdkey.pem
TLSVerifyClient never
database bdb
suffix "dc=flamengro,dc=co,dc=za"
checkpoint 1024 15
rootdn "cn=Manager,dc=flamengro,dc=co,dc=za"
rootpw secret
directory /var/lib/ldap/flamengro
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
database monitor
# allow only rootdn to read the monitor
access to *
by dn.exact="cn=Manager,dc=flamengro,dc=co,dc=za" read
by * none
access to attrs=userPassword,shadowLastChange
by anonymous auth
by self write
by * none
I
