I recently moved a test ldap server (Debian) from the public network
to a private testing network. In doing so, I created new certificates
and signed them with my testing CA. Before the move, both TLS and
GSSAPI were working. Now, when I try to connect with TLS, I get the
following:
ldap:~# ldapsearch -x -b 'dc=chbe,dc=bogus' -ZZ
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldap:~# ldapsearch -x -b 'dc=chbe,dc=bogus' -Z
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I've tested openssl with s_client and s_server, and the certificates
work fine. I've updated my slapd.conf file to point to the new
certificates.
Also, when I try to do a GSSAPI query, I get:
ldap:~# ldapsearch -Y GSSAPI '(uid=some_user)'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (No such file or directory)
Other than updating the slapd.conf with dc=private,dc=domain and
pointing to the new certificates, did I miss something obvious?
Again, both TLS and GSSAPI was working before I moved the server into
a private testing environment. Thanks for any tips.
--
Jiann-Ming Su
"I have to decide between two equally frightening options.
If I wanted to do that, I'd vote." --Duckman
