Hey Peter,
On Wed, Mar 7, 2012 at 2:13 AM, Peter Hawkins <[email protected]>wrote:
> **
>
> >> TLS_CACERT /.../eLearningPublic.pem
> >The path to your TLS_CACERT doesn't look right.
>
> Sorry for the confusion. I used:
>
> TLS_CACERT /usr/local/etc/openldap/certs/eLearningPublic.pem
>
> Did you already verify the certificate sent by Active Directory when
connecting with s_client to port 636?
openssl s_client -connect ${hostname_or_ip}:636
-CAfile /usr/local/etc/openldap/certs/eLearningPublic.pem
Somewhere in the output of s_client, you will find:
-8<----------------
[..]
Server certificate
-----BEGIN CERTIFICATE-----
[..]
-----END CERTIFICATE-----
[..]
-8<----------------
Copy the certificate starting with the "-----BEGIN CERTIFICATE-----" line
and eding with (including) the "-----END CERTIFICATE-----" into a file,
e.g. "activedir.pem".
After that, do
openssl x509 -noout -text -in activedir.pem
and compare that to your "eLearningPublic.pem".
If it differs from your "eLearning.pem", you should check whether the
server provided certificate is self-signed or a CA chain is required.
The certificate used with StartTLS MAY be different from that used for
LDAPS, but I would not expect that from an Active Directory.
Also, you SHOULD check in with your Active Directory contact to check the
"loginname" (UPN), password certificate chain.
Regards, Linus
