Sorry I was misreading that report -- the error 81 is probably an LDAP error, not a SSL error, and the man page at www.openldap.org does not have the integer codes. Presumable there is some .h file in the openldap distribution that contains the reference, but it might very well be something like "certificate verify failed" that would not tell us much. I would still use the s_client thing to peek at the lower level, just to rule out non LDAP possibilities.
Charles B Cranston wrote:
My best guess, at maybe the 40% confidence level, is that you do not have the root certificate that signed the server certificate available at the client end. We have had some success in using the s_client tool to probe LDAPS connections. While, once the connection opens, it is not possible to type anything useful at the LDAP server, we can use the success or failure of the actual connection opening to do some initial debugging.
Looks something like:
openssl s_client -connect ldap.foo.bar:676 -showcerts
That should be 636.
to see the certificate chain the server is presenting, if this succeeds you get a warning 19 when it cannot find the root locally, then you can use the -CAfile option to point at a local copy of the root (or -CApath if you have the directory structure already setup locally on the client). Usually if you get a 19 without a -CAfile then adding the -CAfile will make it a zero and the connection will open just fine.
I *THINK* 676 is the right port number but it might be 636 or something - help me out, guys, if I am wrong on this.
If you'd like, I can post some simple PERL routines that do a secure LDAP connection, so you can help decide if the problem is at the client or server end.
You should also track down that error 81 -- the version of LDAP on my Mac is pretty old, and the man verify list only goes up to 31, 32, and 50, as does the one on openssl.org, but maybe in the source code there might be some
#define X509_V_ERR_somethingorother 81
This is probably wrong. It is probably an LDAP_xxx_ERROR code defined in some .h file in the OpenLDAP distribution.
that might shed some light. It's worth a grep or two.
=====
Sean McKay wrote:
I've been using OpenLDAP with OpenSSL to perform secure, remote ldapadds to a secure LDAP server (Win2K Active Directory). We've just updated the certificate on the Active Directory server and our ldapadd commands are returning the following error:
ldap_bind: Can't contact LDAP server (81)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Any thoughts -- I apologize in advance if I should have posted to the OpenLDAP lists first. After reading the man pages for both OpenSSL and OpenLDAP, I haven't been able to determine if there is a step that I have missed like loading a public version of the certificate on the Unix box I'm performing the LDAP updates from...
Thanks! Sean :: open dot mail at verizon dot net
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
