开发者

OpenLDAP: Connection fails on Mac

On my Mac, I've installed OpenLDAP, modified /etc/openldap/ldap.conf and specified the path to the cert. However, I keep getting this error:

SERVER_DOWN: {
    'info': 
    'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:
     routines:SSL3_GET_SERVER_CERTIFICATE:
        certificate verify failed (unable to get local issuer certificate)', 
    'desc': "Can't contact LDAP server"
}

The ldap.conf has in it:

TLS开发者_如何学C_REQCERT demand
TLS_CACERT /etc/openldap/CA_tncdc01.cer

And the cer is there:

$ ll /etc/openldap/CA_tncdc01.cer
-rw-r--r--@ 1 eric  staff  1298 Jun 23 09:12 /etc/openldap/CA_tncdc01.cer

OpenSSL verify says:

$ openssl verify /etc/openldap/CA_tncdc01.cer 
error 18 at 0 depth lookup:self signed certificate
OK

And to bind, I use (Python):

url = "ldaps://[snip]:636"
l = ldap.initialize(url)
l.simple_bind_s(bind_name, bind_password)

All seems to be in order.

Thanks Eric


The setting:

TLS_REQCERT demand

... is the default TLS certificate verification setting. It is also the MOST STRICT.

The problem you're having is likely because the certificate is self-signed (as you indicated), yet your config says to demand perfect validation results (on part of using 'demand' for TLS_REQCERT).

Using 'demand' will cause any LDAP SSL/TLS connection to fail IF the certificate is not perfect in every respect. This includes issues with a certificate being self-signed, expired, etc etc.

The fact that you've specified your "CA" via TLS_CACERT is good, but the CACERT may be incomplete. There could be a missing certificate string in the chain somewhere. Sometimes I've seen it necessary to concatenate multiple CAs together if, for example, a certificate was generated using an Intermediate CA instead of a Root CA.

Regardless, the simplest possible fix is to try replacing 'demand' with 'allow' or 'never', and re-test from there. If I could choose, I would suggest 'allow' instead of 'never'.

I hope this helps...

Max


Not sure, but the public key of the certificate authority that publish the certificate of your server not seem to be understood. On my client I've got :

BASE dc=dom, dc=fr URI ldaps://srvldap.dom.fr/ TLS_CACERT /etc/ssl/MyCAcert.pem TLS_REQCERT demand

.pem and .cer are the same DER certificate, one is binary, the other is ASCII, can you try the pem format ?

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜