On 9/9/05, Jiann-Ming Su <[EMAIL PROTECTED]> wrote: > I recently moved a test ldap server (Debian) from the public network > to a private testing network. In doing so, I created new certificates > and signed them with my testing CA. Before the move, both TLS and > GSSAPI were working. Now, when I try to connect with TLS, I get the > following: > > ldap:~# ldapsearch -x -b 'dc=chbe,dc=bogus' -ZZ > ldap_start_tls: Connect error (-11) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > ldap:~# ldapsearch -x -b 'dc=chbe,dc=bogus' -Z > ldap_start_tls: Connect error (-11) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > ldap_bind: Can't contact LDAP server (-1) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > I've tested openssl with s_client and s_server, and the certificates > work fine. I've updated my slapd.conf file to point to the new > certificates. >
Okay, the TLS problem was because I was missing the ldap.conf (ldap client) file. > Also, when I try to do a GSSAPI query, I get: > > ldap:~# ldapsearch -Y GSSAPI '(uid=some_user)' > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) > additional info: SASL(-1): generic failure: GSSAPI Error: > Miscellaneous failure (No such file or directory) > This is because the /etc/krb5.keytab was missing. > Other than updating the slapd.conf with dc=private,dc=domain and > pointing to the new certificates, did I miss something obvious? > Again, both TLS and GSSAPI was working before I moved the server into > a private testing environment. Thanks for any tips. > My primary test server had crashed, and I guess my backup server wasn't as identically configured as I had thought. -- Jiann-Ming Su "I have to decide between two equally frightening options. If I wanted to do that, I'd vote." --Duckman
