Hi all, I have managed to install OpenLdap 2.4 on a RHEL 5.2 workstation. The basic openldap without TLS/SSL works fine. On the server itself and from the client I was able to do ldapsearch. However, after I created a server.pem by going through this : [url= http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS]QuickHOWTO : Ch31 : Centralized Logins Using LDAP and RADIUS - Linux Home Networking[/url] ldapsearch on the ldap server itself does not work anymore. The summary of the configuration is as below:
server.pem is created in /usr/local/etc/openldalp/cacerts and client.pem is in /etc/openldap/cacerts. client.pem is also moved to clients and ldapsearch works fine from client workstation. However, in the ldap server itself it does not. THe output of /etc/ldap.conf looks like below: uri ldaps://syna-ldap-02.synamatix.com/ tls_cacertdir /etc/openldap/cacerts pam_password md5 My /usr/local/etc/openldap/slapd.conf TLS portion looks like below: TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA TLSCACertificateFile /usr/local/etc/openldap/cacerts/server.pem TLSCertificateFile /usr/local/etc/openldap/cacerts/server.pem TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/server.pem TLSVerifyClient allow The error from ldapsearch x -H ldaps://syna-ldap-02.synamatix.com -d127 in the server itself is as below: TLS ceritficate verification: depth: 0, err: 18, subject: /C=MY/ST=KL/L=MV/O=MGRC/OU=IT/CN= syna-ldap-02.synamatix.com/[email protected], issuer: /C=MY/ST=KL/L=MV/O=MGRC/OU=IT/CN= syna-ldap-02.synamatix.com/[email protected] TLS certificate verification: Error, self signed certificate tls_write: want=7, write=7 0000: 15 03 01 00 02 02 30 TLS trace: SSL3 alert write:fata:unknown CA TLS trace: SSL connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) On the server end, as I started with debug mode, I get errors below: TLS trace: SSL3 alert read: fatal: unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept: erro: 14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca. connection_read(13): TLS accept failure error=-1 id=1010,closing ..... Why is that ldapsearch from client workstation works fine but not in the ldap server itself? It is osoo baffling. It is fine without TLS activated. I have been working on this for 1 week! The information online does not seem to cater to this weird incident of mine. Hope to receive some assistance really soon. If you need files and attachments, please inform me. Thanks and Happy new year guys!!!! -- ------------------------------ MGRC - Accelerating Your Journey of Discovery *Su Seau Yeen Assistant Manager IT Operations * * * *Malaysian Genomics Resource Centre Berhad (MGRC)* T: +6 03 2283 1820 | F: +6 03 2282 8102 | M: +6 012 6784642 | www.mgrc.com.my ------------------------------ This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient, is strictly prohibited. If you receive this e-mail in error, please contact us immediately by return e-mail and delete the original message(s).
