OpenLDAP: Connection fails on Mac
On my Mac, I've installed OpenLDAP, modified /etc/openldap/ldap.conf and specified the path to the cert. However, I keep getting this error:
SERVER_DOWN: {
'info':
'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:
routines:SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed (unable to get local issuer certificate)',
'desc': "Can't contact LDAP server"
}
The ldap.conf has in it:
TLS开发者_如何学C_REQCERT demand
TLS_CACERT /etc/openldap/CA_tncdc01.cer
And the cer is there:
$ ll /etc/openldap/CA_tncdc01.cer
-rw-r--r--@ 1 eric staff 1298 Jun 23 09:12 /etc/openldap/CA_tncdc01.cer
OpenSSL verify says:
$ openssl verify /etc/openldap/CA_tncdc01.cer
error 18 at 0 depth lookup:self signed certificate
OK
And to bind, I use (Python):
url = "ldaps://[snip]:636"
l = ldap.initialize(url)
l.simple_bind_s(bind_name, bind_password)
All seems to be in order.
Thanks Eric
The setting:
TLS_REQCERT demand
... is the default TLS certificate verification setting. It is also the MOST STRICT.
The problem you're having is likely because the certificate is self-signed (as you indicated), yet your config says to demand perfect validation results (on part of using 'demand' for TLS_REQCERT).
Using 'demand' will cause any LDAP SSL/TLS connection to fail IF the certificate is not perfect in every respect. This includes issues with a certificate being self-signed, expired, etc etc.
The fact that you've specified your "CA" via TLS_CACERT is good, but the CACERT may be incomplete. There could be a missing certificate string in the chain somewhere. Sometimes I've seen it necessary to concatenate multiple CAs together if, for example, a certificate was generated using an Intermediate CA instead of a Root CA.
Regardless, the simplest possible fix is to try replacing 'demand' with 'allow' or 'never', and re-test from there. If I could choose, I would suggest 'allow' instead of 'never'.
I hope this helps...
Max
Not sure, but the public key of the certificate authority that publish the certificate of your server not seem to be understood. On my client I've got :
BASE dc=dom, dc=fr URI ldaps://srvldap.dom.fr/ TLS_CACERT /etc/ssl/MyCAcert.pem TLS_REQCERT demand
.pem and .cer are the same DER certificate, one is binary, the other is ASCII, can you try the pem format ?
精彩评论