[SASAG] Need help with openldap TLS

Mark Foster mark at foster.cc
Fri Jun 2 11:21:46 PDT 2006

Ski Kacoroski wrote:

>I have been in certificate hell for the last few days and can really use 
>some help.  I have tried self signed and cacert.org with no luck. 
>Openssl verifies the certs ok:
>ldapum:/opt/openldap/ssl/certs# openssl verify testcert.pem
>testcert.pem: OK
>but openldap still gives errors:
>ldapum:/opt/openldap/ssl/certs# ldapsearch -H ldaps:/// -x "(uid=ski)" uid
>ldap_bind: Can't contact LDAP server (-1)
>         additional info: error:14090086:SSL 
>routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>The log file shows:
>May 21 16:27:55 localhost slapd[450]: connection_read(15): TLS accept 
>failure error=-1 id=0, closing
>Any help is most appreciated.  Either email or phone at 425-489-6263.
I say use s_client to help troubleshoot.
You can use a command like this to establish an SSL/TLS session to the
openssl s_client -connect ldapserver:636
other options are available ... see s_client (1ssl)
For instance, you can emulate the certificate validation by passing the
-cert, -key and -CAfile args.
Beyond that, tcpdump and ssldump are your friends, as is tweaking the
loglevel in slapd.conf.
Are you doing anything fancy like requiring client certs
(TLSVerifyClient setting)?

More information about the Members mailing list