I have also I have revised my /etc/ldap.conf on the client to read: uri ldaps://LBSD2.summitnjhome.com/ ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password crypt
I have also tried using uri ldap://LBSD2.summitnjhome.com/ with the same results as before. thanks again. On Sun, Nov 28, 2010 at 1:49 PM, bluethundr <[email protected]> wrote: > Hi Eric, > > Sorry I am clear on that now. I have tried the -h value that matches > the one in the cert, but I get the same result, unfortunately: > > [r...@vircent03:~]#ldapsearch -h LBSD2.summitnjhome.com -b > "dc=summitnjhome,dc=com" -Z -D "cn=Manager,dc=summitnjhome,dc=com" > "(objectclass=sudoRole)" -W > ldap_start_tls: Connect error (-11) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > Enter LDAP Password: > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > [r...@vircent03:~]#openssl s_client -connect > LBSD2.summitnjhome.com:389 -showcerts -CAfile > /usr/local/etc/openldap/certs/cacerts/all.crt > 10504:error:02001002:system library:fopen:No such file or > directory:bss_file.c:122:fopen('/usr/local/etc/openldap/certs/cacerts/all.crt','r') > 10504:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: > 10504:error:0B084002:x509 certificate > routines:X509_load_cert_crl_file:system lib:by_file.c:279: > CONNECTED(00000003) > 10504:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: > > Thanks again for following up! > > > > On Sun, Nov 28, 2010 at 1:23 PM, Erik Norgaard <[email protected]> wrote: >> On 28/11/10 18.51, bluethundr wrote: >> >>> Yes the hostname is in the CN of the cert file. So I agree that -h is >>> not the issue. :) >>> [r...@vircent03:~]#ldapsearch -h ldap -b "dc=summitnjhome,dc=com" -Z >>> -D "cn=Manager,dc=summitnjhome,dc=com" "(objectclass=sudoRole)" -W >> >> Maybe I didn't make myself clear: the host name you use to connect to (-h), >> in your command line example above, ldap, must be the same as the CN of the >> server certificate. It is irrelevant if the servers hostname is the same as >> the CN. >> >> That might be why you get >> >>> ldap_start_tls: Connect error (-11) >>> additional info: error:14090086:SSL >>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >> >> Try >> >> -h LBSD2.summitnjhome.com >> >> BR, Erik >> >> _______________________________________________ >> [email protected] mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "[email protected]" >> > > > > -- > Here's my RSA Public key: > gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 > -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
