Re: Working with TLS/SSL with slapd 2.1..26-1 (sid)?
(Repost. Looks like the murphy.debian.org gave me a 550 because of
Jarles name. I can't see why Norwegian names should give an error. My
header look quite right, otherwise.
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
But hey. I'm no mail-guru. ;)
[ Jarle Osmund Vågen ]
> Hi!
>
>
> I think some on this list is working with TLS/SSL with slapd 2.1.26-1 (sid).
>
> if so you should notice this bug report:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=234593
Not enough information. Is the upgrade from 2.0.X to 2.1.26? Is the
CA-cert self-signed(or made with self-amde CA)? If so; You'll have to
put
TLS_CACERT /path/to/your/cacert.pem
in the ldap.conf your libraries[*] use.
OpenLDAP 2.1 cleans up some of the misfeatures in 2.0.
Certificate-handling is one of them(In 2.0 you didn't need the CA-cert
in your ldap.conf. The server would pretty much let you in anyway,
AFAIR). 2.1 has a stricter policy.
I guess this may be unrelated to this bug report[**], but worth
mentioning. The bug report doesn't supply enough info, as I said.
Side-note:
How goes the work of replacing openssl with gnutls?
[*] /etc/ldap.conf is only used when OpenLDAP is configured with this
path. Some variables are for applications. Others are read by libldap
when no other are supplied, and there are some which are for libldap
only. Eg. host/uri is read when ldapsearch doesn't get a -h or -H.
[**] With no CA-cert in ldap.conf you'll get something like this:
mathiasm@shaitan:~/$ ldapsearch -x -h ldap.uio.no -ZZ
ldap_start_tls: Connect error (91)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldaps on the other hand:
mathiasm@shaitan:~/Download$ ldapsearch -x -H ldaps://ldap.uio.no
ldap_bind: Can't contact LDAP server (81)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
--
Mathias Meisfjordskar
GNU/Linux addict.
"If it works; HIT IT AGAIN!"
Reply to: