On 02/24/2012 11:57 AM, Aaron Bennett wrote:
From: Rich Megginson [mailto:[email protected]]
See http://www.openldap.org/faq/data/cache/1514.html
Using Builtin Root Certs:
-
Hi Rich,
Thanks for responding.
I read that. So, I did ln -s /usr/lib64/libnssckbi.so to my nss key
directory... doesn't seem to have any effect. If I do certutil -d
/etc/openldap/nssdb/ -L -h all then it shows all of those certs as
expected, including:
Builtin Object Token:GeoTrust Global CA C,C,C
Builtin Object Token:GeoTrust Global CA 2 C,C,C
Builtin Object Token:GeoTrust Universal CA C,C,C
Builtin Object Token:GeoTrust Universal CA 2 C,C,C
Builtin Object Token:GeoTrust Primary Certification Authority C,,
Builtin Object Token:GeoTrust Primary Certification Authority - G3 C,C,C
Builtin Object Token:GeoTrust Primary Certification Authority - G2 C,C,C
For Geotrust. It still shows the geotrust-intermediate cert that I
imported:
geotrust-intermediate ,,
as well. But with or without an explicit "olcTLSCACertificateFile:
geotrust-intermediate", ldapwhomi -d1 produces:
ldap_url_parse_ext(ldaps://ds.clarku.edu)
ldap_create
ldap_url_parse_ext(ldaps://ds.clarku.edu:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ds.clarku.edu:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 140.232.1.12:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Is the ldapwhoami client on the same machine as the server? What is
the client TLS configuration?
What am I missing?
