开发者

OpenLDAP: Connection fails on Mac

问答 作者:

On my Mac, I've installed OpenLDAP, modified /etc/openldap/ldap.conf and specified the path to the cert. However, I keep getting this error:

SERVER_DOWN: {
    'info': 
    'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:
     routines:SSL3_GET_SERVER_CERTIFICATE:
        certificate verify failed (unable to get local issuer certificate)', 
    'desc': "Can't contact LDAP server"
}

The ldap.conf has in it:

TLS开发者_如何学C_REQCERT demand
TLS_CACERT /etc/openldap/CA_tncdc01.cer

And the cer is there:

$ ll /etc/openldap/CA_tncdc01.cer
-rw-r--r--@ 1 eric  staff  1298 Jun 23 09:12 /etc/openldap/CA_tncdc01.cer

OpenSSL verify says:

$ openssl verify /etc/openldap/CA_tncdc01.cer 
error 18 at 0 depth lookup:self signed certificate
OK

And to bind, I use (Python):

url = "ldaps://[snip]:636"
l = ldap.initialize(url)
l.simple_bind_s(bind_name, bind_password)

All seems to be in order.

Thanks Eric

The setting:

TLS_REQCERT demand

... is the default TLS certificate verification setting. It is also the MOST STRICT.

The problem you're having is likely because the certificate is self-signed (as you indicated), yet your config says to demand perfect validation results (on part of using 'demand' for TLS_REQCERT).

Using 'demand' will cause any LDAP SSL/TLS connection to fail IF the certificate is not perfect in every respect. This includes issues with a certificate being self-signed, expired, etc etc.

The fact that you've specified your "CA" via TLS_CACERT is good, but the CACERT may be incomplete. There could be a missing certificate string in the chain somewhere. Sometimes I've seen it necessary to concatenate multiple CAs together if, for example, a certificate was generated using an Intermediate CA instead of a Root CA.

Regardless, the simplest possible fix is to try replacing 'demand' with 'allow' or 'never', and re-test from there. If I could choose, I would suggest 'allow' instead of 'never'.

I hope this helps...

Max

Not sure, but the public key of the certificate authority that publish the certificate of your server not seem to be understood. On my client I've got :

BASE dc=dom, dc=fr URI ldaps://srvldap.dom.fr/ TLS_CACERT /etc/ssl/MyCAcert.pem TLS_REQCERT demand

.pem and .cer are the same DER certificate, one is binary, the other is ASCII, can you try the pem format ?

继续阅读:openldap

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9