From: Kevin <lum...@gn...> - 2005-01-17 22:53:15
|
Hi List- My apologies if this is covered in documentation somewhere, but I can't seem to find it. I think I may even have asked this question (or a related one) in this list, but for some reason, reviewing those messages is not helping me resolve this. The question: how do I tell Luma that a self-signed root CA certificate and those certificates issued/signed by that certificate are valid? I keep getting this error message in the console when attempting to bind to the server: Error during LDAP bind request Reason: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"} I can connect to ports 389 and 636 with telnet so I don't think it's a firewall issue. I see the openldap server (v2.2.17) logging the connection from Luma and then closing the connection because of a certificate problem: Jan 17 16:13:38 tombstone slapd[11825]: connection_read(21): TLS accept error error=-1 id=64, closing The hostname of the server (both at the server and as typed into the settings dialog in Luma) matches the hostname on the certificate that I'm trying to use to make an encrypted connection to the server with Luma, so I don't think that's the problem. I'm using the following relevant settings in my slapd.conf file: TLSCACertificatePath /etc/ssl/certs TLSCertificateFile /etc/openldap/tombstonecrt.pem TLSCertificateKeyFile /etc/openldap/tombstonekey.pem The relevant information from serverlist.xml in my .luma directory is: <!DOCTYPE LumaServerFile> <LumaServerList version="1.0" > <LumaLdapServer bindAnon="False" port="636" tls="True"... When I have port="389" and tls="False" I have no problems. The root CA certificate is present in /etc/ssl/certs, and it verifies ok by openssl: # openssl verify \ -CAfile /etc/ssl/certs/mycacert.pem /etc/openldap/tombstonecrt.pem /etc/openldap/tombstonecrt.pem: OK So I'm thinking that I need to tell Luma that this root CA certificate is ok to trust, but I'm at a loss for how to do this. I can connect with no problem if I just uncheck the "SSL" checkbox in the settings dialog in Luma, but no luck with SSL checked. It looks like that checkbox ("SSL") corresponds with the "tls" setting in serverlist.xml, but as Bjorn Ove Grotan reminded me in this list, ldap over ssl on port 636 is not the same as ldaps on port 389, so I'm wondering if I'm mixed up again between ssl and tls... TIA for any help. -Kevin http://www.gnosys.us |