Ldapsearch Error Unable To Get Local Issuer Certificate
Contents |
From: Chris Jacobs
Tls Certificate Verification: Error, Unable To Get Local Issuer Certificate
heck of a time getting certs to function correctly. This server is being setup ldapsearch ignore self signed certificate with another server in mirrormode - and currently they cannot talk to each other (or themselves when using ldapsearch). We have a root CA,
Ldapsearch Certificate Issuer Is Not Recognized
with a subordinate CA used to sign the cert our ldap server is using. I have both appended to the /etc/pki/tls/certs/ca-bundle.crt file (CentOS5) - root first, sub second. I have both (also in the same order) in the cacert.pem used by slapd.conf. TLS directives: TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile tls trace: ssl3 alert write:fatal:unknown ca /etc/openldap/cacerts/ldapcrt.pem TLSCertificateKeyFile /etc/openldap/cacerts/ldapkey.pem When I test the cacert.pem file or the ldapcrt.pem file using "openssl verify [cert]", everything comes back with OK (I tested removing those from the ca-bundle.crt file and they fail - those are below too). I have those certs available separately and tested them too. ------ Test with CA and Sub-CA in ca-bundle.crt ------ # openssl verify cacert.pem cacert.pem: OK # openssl verify ldapcrt.pem ldapcrt.pem: OK # openssl verify carootcrt.pem carootcrt.pem: OK # openssl verify casubcrt.pem casubcrt.pem: OK ------ Test without CA and Sub-CA in ca-bundle.crt ------ # openssl verify cacert.pem cacert.pem: /DC=edu/DC=apollogrp/CN=Apollo Group Enterprise CA error 18 at 0 depth lookup:self signed certificate OK # openssl verify ldapcrt.pem corp-ldapcrt.pem: [verify specific cert subject snipped] error 20 at 0 depth lookup:unable to get local issuer certificate # openssl verify carootcrt.pem carootcrt.pem: /DC=edu/DC=apollogrp/CN=Apollo Group Enterprise CA error 18 at
Start here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring
Ldaptls_reqcert
developers or posting ads with us Server Fault Questions Tags Users Badges Unanswered Ask Question _
Ldaptls_reqcert=never
Server Fault is a question and answer site for system and network administrators. Join them; it only takes a minute: Sign up Here's how ldaprc it works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top Unable to verify SSL certificate issuer for LDAP server up vote 1 down vote favorite I have just http://www.openldap.org/lists/openldap-technical/201003/msg00056.html setup SSL on my LDAP server by following this guide - http://www.linux.com/archive/feature/114087 I have made a self signed certificate using openSSL and set it up. When something tries to connect to the server using SSL it comes up with an error saying "The issuer of the certificate could not be found" The common name is set to ldap.redmeetsblue.com.au which is pointing to our network, only port 636 is forwarded to the machine . Ive looked over the internet but cannot http://serverfault.com/questions/100481/unable-to-verify-ssl-certificate-issuer-for-ldap-server find an answer, im pretty new to this so im stumped Thanks in advance linux debian ssl-certificate openldap openssl share|improve this question asked Jan 7 '10 at 15:42 kwhohasamullet add a comment| 2 Answers 2 active oldest votes up vote 2 down vote you have to add the self-signed certificate as trusted to your client certificate store. This way the client will accept it and establish a connection. share|improve this answer answered Jan 7 '10 at 15:52 Christian 3,76211322 add a comment| up vote 1 down vote Since you're using a certificate signed by your own certificate authority (CA), rather than a globally recognized one (such as verisign, etc), you need to configure LDAP clients to recognize your CA, by telling them to trust the CA's certificate. For the ldap* command line clients, this can be done by adding the following line to /etc/ldap/ldap.conf or /etc/ldap.conf: TLSCACertificateFile /etc/ldap/cacert.pem (I'm guessing this is where your CA certificate is, based on the link you posted. You will of course need to distribute this file to other clients.) Hope this helps. share|improve this answer answered Jan 25 '10 at 10:05 Jonathan Clarke 1,1751822 The actual option for the client is TLS_CACERT. TLSCACertificateFile is the same but for the server (which may use it to check client certificates). –migle Sep 17 '15 at 15:19 add a comment| Your Answer draft saved draft discarded Sign up or log in
that make connections all over the world. Join today Download & Extend Drupal Core Distributions Modules Themes LDAP integrationIssues SSL LDAP authentication https://www.drupal.org/node/738746 Closed (duplicate)Project:LDAP integrationVersion:6.x-1.x-devComponent:User interfacePriority:CriticalCategory:Support requestAssigned:UnassignedReporter:clcrushCreated:March 10, 2010 - 20:56Updated:April 6, 2012 - 19:00 Log in or register to update this issue I followed the steps on Microsoft's site: http://support.microsoft.com/kb/321051 - to setup SSL/TLS on my AD LDAP server. I tested using ldp.exe and it shows it working on port 636. I can telnet to port 636 unable to from my web server. But I cannot get the LDAP authentication portion to test successfully using port 636. Is there anything I need to do on the web server side to get the communication flowing? Any assistance would be great!!! Comments Comment #1 clcrush CreditAttribution: clcrush commented March 15, 2010 at 4:08pm Any one have any suggestions? unable to get I really need to get the password change feature working on my Drupal install. Log in or register to post comments Comment #2 chicagomom CreditAttribution: chicagomom commented April 1, 2010 at 10:40am Are you running IIS, Apache, or something else? If IIS, what version? Can you verify via phpinfo() that you have the ldap dll running on php? Log in or register to post comments Comment #3 prufrock51 CreditAttribution: prufrock51 commented April 1, 2010 at 3:55pm once you have certificate on your domain controller, your server has to trust it. if you are on linux, review your ldap.conf file and place the exported certificate into a proper directory (on rhel5, /etc/openldap/cacerts) also, you will need adpassword.patch from http://drupal.org/node/339821 Log in or register to post comments Comment #4 clcrush CreditAttribution: clcrush commented April 9, 2010 at 4:41pm I applied the patch and put the certificate in /etc/openldap/cacerts and the test button still fails for port 636. Here is my /etc/openldap/ldap.conf: URI ldaps://192.168.66.11/ BASE dc=csaaweb,dc=echo HOST N01IAW801.csaaweb.echo PORT 636 TLS_CACERTDIR /etc/openldap/cacert