openldap proxy giving TLS certificate error

Mon, 12 Nov 2018 20:04:13 -0800 

I am failing to authenticate through ldap proxy and I am seeing this error
coming in continuously

*TLS certificate verification: Error, self signed certificate in
certificate chain*

*TLS: can't connect: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (self signed
certificate in certificate chain).*

Any suggestions how to resolve this?

Here is my slapd.conf.

### Schema includes
> ##########################################################
> include                 /etc/openldap/schema/core.schema
> include                 /etc/openldap/schema/cosine.schema
> include                 /etc/openldap/schema/inetorgperson.schema
> include                 /etc/openldap/schema/misc.schema
> include                 /etc/openldap/schema/nis.schema
> ## Module paths
> ##############################################################
> modulepath              /usr/lib64/openldap/
> moduleload              back_ldap
> # Main settings
> ###############################################################
> pidfile                 /var/run/openldap/slapd.pid
> argsfile                /var/run/openldap/slapd.args
> sizelimit               unlimited
> TLSCACertificateFile    /root/data/certs/ldap.crt
> TLSCertificateFile      /root/data/certs/ldap.crt
> TLSCertificateKeyFile   /root/data/certs/ldap.key
> ### Database definition (Proxy to Corp LDAP)
> #########################################
> database                ldap
> readonly                yes
> protocol-version        3
> rebind-as-user          yes
> uri                    "ldaps://192.168.1.100:636"
> suffix                  "ou=People,dc=example,dc=net"
> ### Logging
> ###################################################################
> loglevel                0
> It had been working until last week when IT changed there ldap certificate


I generate the certificate using this command


*openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout
/root/data/certs/ldap.key -out /root/data/certs/ldap.crt -subj
"/CN=host.example.net/OU=Example/O=Example/L=City/ST=ST/C=US
<http://host.example.net/OU=Example/O=Example/L=City/ST=ST/C=US>"*

So I recreated against the same IT ldap server, so I do have the new cert
and keys produced same way as before.

All new authentication are failing now.

-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Reply via email to