Openldap TLS self CA issue

Support for security such as Firewalls and securing linux
c4ifford
Posts: 1
Joined: 2015/12/02 16:28:16

Openldap TLS self CA issue

Postby c4ifford » 2015/12/02 17:22:22

So I've got my openldap test server running and now I'm trying to add TLS.

I'm attempting to make a self signed cert from the process followed here.http://www.server-world.info/en/note?os=CentOS_6&p=ssl

I've been digging for the past two or three days now trying to find some sort of correlation on why it thinks that the CA is untrusted.


Code: Select all

ldapsearch -d1 -x -LLL -b cn=root -D "cn=Manager,dc=lab,dc=net"   -H "ldaps://cliff-admin.lab.net:636" -W cn=config
ldap_url_parse_ext(ldaps://cliff-admin.lab.net:636)
ldap_create
ldap_url_parse_ext(ldaps://cliff-admin.lab.net:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP cliff-admin.lab.net:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate [CN=cliff-admin.lab.net] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 22 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

User avatar
TrevorH
Forum Moderator
Posts: 21171
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Openldap TLS self CA issue

Postby TrevorH » 2015/12/03 12:25:43

Have you added your CA cert to the system so that it is trusted (I am assuming that you're using a self-signed cert created by your own CA).?
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke