Hi list, i'm have trouble with setup openldap ssl in my ubuntu server 11.04 2.6.38-8-server I'm can setup ldap without ssl perfectly with samba PDC at different server(ldap server and samba server in another machine). I'm using guide from <a href="https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html">https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html</a> for setup ldaps but it is failed. My /etc/ldap/ldap.conf : root@sunko02:/etc/ssl# cat /etc/ldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=sunko,dc=local #URI ldap://<a href="http://ldap.example.com">ldap.example.com</a> ldap://<a href="http://ldap-master.example.com:666">ldap-master.example.com:666</a> URI ldap://<a href="http://10.1.0.2">10.1.0.2</a> TLS_REQCERT allow TLS_CACERT /etc/ssl/certs/cacert.pem ssl start_tls #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never I'm checking TLS configuration like that : root@sunko02:/etc/ssl# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config | grep TLS SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/sunko02_slapd_cert.pem olcTLSCertificateKeyFile: /etc/ssl/private/sunko02_slapd_key.pem olcAttributeTypes: ( OLcfgGlAt:68 NAME 'olcTLSCACertificateFile' SYNTAX OMsDir olcAttributeTypes: ( OLcfgGlAt:69 NAME 'olcTLSCACertificatePath' SYNTAX OMsDir olcAttributeTypes: ( OLcfgGlAt:70 NAME 'olcTLSCertificateFile' SYNTAX OMsDirec olcAttributeTypes: ( OLcfgGlAt:71 NAME 'olcTLSCertificateKeyFile' SYNTAX OMsDi olcAttributeTypes: ( OLcfgGlAt:72 NAME 'olcTLSCipherSuite' SYNTAX OMsDirectory ........................................................................................................................... And if i'm searching records into ldap server, like that : root@sunko02:/etc/ssl# ldapsearch -xLLL -d1 -b "dc=sunko,dc=local" -H ldaps://localhost ou=ktm ldap_url_parse_ext(ldaps://localhost) ldap_create ldap_url_parse_ext(ldaps://localhost:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying <a href="http://127.0.0.1:636">127.0.0.1:636</a> ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ............................................................................................................................. When i'm check with openssl like that : root@sunko02:/etc/ssl# openssl s_client -connect localhost:636 -showcerts CONNECTED(00000003) depth=1 /CN=sunko.local verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/O=sunko.local/CN=sunko02.sunko.local i:/CN=sunko.local -----BEGIN CERTIFICATE----- MIIDODCCAiKgAwIBAgIETfsLTDALBgkqhkiG9w0BAQUwFjEUMBIGA1UEAxMLc3Vu a28ubG9jYWwwHhcNMTEwNjE3MDgwNzQwWhcNMTIwNjE2MDgwNzQwWjA0MRQwEgYD VQQKEwtzdW5rby5sb2NhbDEcMBoGA1UEAxMTc3Vua28wMi5zdW5rby5sb2NhbDCC ASAwCwYJKoZIhvcNAQEBA4IBDwAwggEKAoIBAQDQCpCzwdF3ZQtWrPhXIXNSv6VG Jts1ljGAwKXp691ImNNFawwMQ1uGIqIQvTeavGLicaFmPdgMWOf7KyFYS/KkOnzK +klZ6+B3xTmYcY+HBkvIHQMZkgs8F27OI4v2sKH7MvozOR1IZcv9FyGQzvpyEdm+ WGvckNrh0bwhcB2yET/HVndDly3BT5I64jxQdhW5DijjKBXIKptS06u0afqzoDey iXG2ycxBW2BcwJV6TOuRQkGw3Z3N9gybD6a5zF5M5dXEv5Da98oiSFMmSTF4cN+6 QJtOxxJi3OcwulCKfeC/7ddYdpiOEtg1KxG0Pwykj42+IWWECS7FN1IiMzT3AgMB AAGjdjB0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0P AQH/BAUDAwegADAdBgNVHQ4EFgQUkMQMR0ovnpt0ZQM+oxjRyGAdZMAwHwYDVR0j BBgwFoAUpvHIAJKiXXZTvev7NkqeQHB/Z+IwCwYJKoZIhvcNAQEFA4IBAQCV1q+p 6yiAVhcdT5to4nZmrFVrz+GimI58+teEqYvjHz/waWHXl1tFblb9Ub2u6gKDJlKv xsMWOC2ORmgVeBlDzFsGzsMRrtUjF4VeenJpp9r3vEwY/P785v2OOzLbVKonLhgS DG+78iAo6RIxzPbBcWHsULYd9uqPd7PRKYF9Nw048Iy9aemnsS+9sbkW3qO/A8DU ebQPNRh1um1hJQx3r04TIY4L0f4xYSrwMdhkvIBWxEB95DtAfqQQYh/ZdPHlo/7F M6E1FpwT1txS8UlGCJ8ySI8eekM06Pg7OKjhkwmf5t40VjtQspLqSLyGpgvbfsab GcsNgTgUpY5/a4KD -----END CERTIFICATE----- 1 s:/CN=sunko.local i:/CN=sunko.local -----BEGIN CERTIFICATE----- MIIC5zCCAdGgAwIBAgIETfsK9jALBgkqhkiG9w0BAQUwFjEUMBIGA1UEAxMLc3Vu a28ubG9jYWwwHhcNMTEwNjE3MDgwNjE0WhcNMTIwNjE2MDgwNjE0WjAWMRQwEgYD VQQDEwtzdW5rby5sb2NhbDCCASAwCwYJKoZIhvcNAQEBA4IBDwAwggEKAoIBAQDM Pnnzbbg1tACaFBM63ZYFrVxiyIdk46CuvXWe1WZ/XEJFzLovQztkvZmHDw23jk8w dcTAP0IMXwN/MbjF4tkMqziOeteNGS8pkn5QS9tPRalnGN9cjQfCixtFwxJwJd91 GyaWqy8lHQorY4alBDnpyBxRpAZgY7/CjYkS3TvIN+MM+//ffzBsgiQNxKnzBas3 N7BVSjYGJKB3ei9Jmo/eI6JkWUSP07Ob9bVvNK5BOFlH6B2L+MhE7n0LVRRD41Ls LXP3A9/F8czmZp8yAPiAaKtwaRK+ka3C7Z6HoOoY+evmcZqAuAwvoZnh3U27sjtl pV1o4wzNkVL7yMxwfQxPAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P AQH/BAUDAwcEADAdBgNVHQ4EFgQUpvHIAJKiXXZTvev7NkqeQHB/Z+IwCwYJKoZI hvcNAQEFA4IBAQCkNZARxGtbuSa2yHkJF9e0GdSxr/+P8bFkxXD/js+oSEUYfNzu It4Ub8LFPmNNqiAQt3TCw7eJr/fM0HEcpq7G1CHsg8M00dG5qX794jGnEqv8aoGI SzRvLiH5YyUdTPjdYlF+CUQAjgz2lyMdv5XSu+SdhVYInMAQ47Bl2lOo8Q3daumV HsAxk7ososnuLqgXm1gLL6aOwpJhuljxJhywq8Bt7wnovBDHvWco+gH5wudWXHbV ik62Iuzos2H+EcZFWmYW6Y/ELbfdAv3ITTiEKFkgir0cXDXVs26wy8BSIp0bgN+w Oc2WXFRkANeiW/SrARXCIuSBsdGkqYm7xbJe -----END CERTIFICATE----- --- Server certificate subject=/O=sunko.local/CN=sunko02.sunko.local issuer=/CN=sunko.local --- No client certificate CA names sent --- SSL handshake has read 1756 bytes and written 421 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 9DEEFB20AE5ADC9DBDC614E097F34180F98A3017FB483BB2DBD95B0E43F1C57F Session-ID-ctx: Master-Key: D8F5A6A0A091E004F4D6AF4A42F651419BCFCDE76CD839FB9E658A83B5805489CE33216C67A9A60E66265C15A9878FEA Key-Arg : None Start Time: 1308308316 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- And i'm try to checking the certificate from ldap client : root@sunko08:/etc# gnutls-cli --print-cert -p 636 sunko02.sunko.local Resolving 'sunko02.sunko.local'... Connecting to '10.1.0.2:636'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `O=sunko.local,CN=sunko02.sunko.local', issuer `CN=sunko.local', RSA key 2048 bits, signed using RSA-SHA, activated `2011-06-17 08:07:40 UTC', expires `2012-06-16 08:07:40 UTC', SHA-1 fingerprint `f649580f9a039ae3356c80fc5a9786606a94892f' -----BEGIN CERTIFICATE----- MIIDODCCAiKgAwIBAgIETfsLTDALBgkqhkiG9w0BAQUwFjEUMBIGA1UEAxMLc3Vu a28ubG9jYWwwHhcNMTEwNjE3MDgwNzQwWhcNMTIwNjE2MDgwNzQwWjA0MRQwEgYD VQQKEwtzdW5rby5sb2NhbDEcMBoGA1UEAxMTc3Vua28wMi5zdW5rby5sb2NhbDCC ASAwCwYJKoZIhvcNAQEBA4IBDwAwggEKAoIBAQDQCpCzwdF3ZQtWrPhXIXNSv6VG Jts1ljGAwKXp691ImNNFawwMQ1uGIqIQvTeavGLicaFmPdgMWOf7KyFYS/KkOnzK +klZ6+B3xTmYcY+HBkvIHQMZkgs8F27OI4v2sKH7MvozOR1IZcv9FyGQzvpyEdm+ WGvckNrh0bwhcB2yET/HVndDly3BT5I64jxQdhW5DijjKBXIKptS06u0afqzoDey iXG2ycxBW2BcwJV6TOuRQkGw3Z3N9gybD6a5zF5M5dXEv5Da98oiSFMmSTF4cN+6 QJtOxxJi3OcwulCKfeC/7ddYdpiOEtg1KxG0Pwykj42+IWWECS7FN1IiMzT3AgMB AAGjdjB0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0P AQH/BAUDAwegADAdBgNVHQ4EFgQUkMQMR0ovnpt0ZQM+oxjRyGAdZMAwHwYDVR0j BBgwFoAUpvHIAJKiXXZTvev7NkqeQHB/Z+IwCwYJKoZIhvcNAQEFA4IBAQCV1q+p 6yiAVhcdT5to4nZmrFVrz+GimI58+teEqYvjHz/waWHXl1tFblb9Ub2u6gKDJlKv xsMWOC2ORmgVeBlDzFsGzsMRrtUjF4VeenJpp9r3vEwY/P785v2OOzLbVKonLhgS DG+78iAo6RIxzPbBcWHsULYd9uqPd7PRKYF9Nw048Iy9aemnsS+9sbkW3qO/A8DU ebQPNRh1um1hJQx3r04TIY4L0f4xYSrwMdhkvIBWxEB95DtAfqQQYh/ZdPHlo/7F M6E1FpwT1txS8UlGCJ8ySI8eekM06Pg7OKjhkwmf5t40VjtQspLqSLyGpgvbfsab GcsNgTgUpY5/a4KD -----END CERTIFICATE----- - Certificate[1] info: - subject `CN=sunko.local', issuer `CN=sunko.local', RSA key 2048 bits, signed using RSA-SHA, activated `2011-06-17 08:06:14 UTC', expires `2012-06-16 08:06:14 UTC', SHA-1 fingerprint `8fa7124b92ee007fcec09bca618c2fa2100dbe5c' -----BEGIN CERTIFICATE----- MIIC5zCCAdGgAwIBAgIETfsK9jALBgkqhkiG9w0BAQUwFjEUMBIGA1UEAxMLc3Vu a28ubG9jYWwwHhcNMTEwNjE3MDgwNjE0WhcNMTIwNjE2MDgwNjE0WjAWMRQwEgYD VQQDEwtzdW5rby5sb2NhbDCCASAwCwYJKoZIhvcNAQEBA4IBDwAwggEKAoIBAQDM Pnnzbbg1tACaFBM63ZYFrVxiyIdk46CuvXWe1WZ/XEJFzLovQztkvZmHDw23jk8w dcTAP0IMXwN/MbjF4tkMqziOeteNGS8pkn5QS9tPRalnGN9cjQfCixtFwxJwJd91 GyaWqy8lHQorY4alBDnpyBxRpAZgY7/CjYkS3TvIN+MM+//ffzBsgiQNxKnzBas3 N7BVSjYGJKB3ei9Jmo/eI6JkWUSP07Ob9bVvNK5BOFlH6B2L+MhE7n0LVRRD41Ls LXP3A9/F8czmZp8yAPiAaKtwaRK+ka3C7Z6HoOoY+evmcZqAuAwvoZnh3U27sjtl pV1o4wzNkVL7yMxwfQxPAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P AQH/BAUDAwcEADAdBgNVHQ4EFgQUpvHIAJKiXXZTvev7NkqeQHB/Z+IwCwYJKoZI hvcNAQEFA4IBAQCkNZARxGtbuSa2yHkJF9e0GdSxr/+P8bFkxXD/js+oSEUYfNzu It4Ub8LFPmNNqiAQt3TCw7eJr/fM0HEcpq7G1CHsg8M00dG5qX794jGnEqv8aoGI SzRvLiH5YyUdTPjdYlF+CUQAjgz2lyMdv5XSu+SdhVYInMAQ47Bl2lOo8Q3daumV HsAxk7ososnuLqgXm1gLL6aOwpJhuljxJhywq8Bt7wnovBDHvWco+gH5wudWXHbV ik62Iuzos2H+EcZFWmYW6Y/ELbfdAv3ITTiEKFkgir0cXDXVs26wy8BSIp0bgN+w Oc2WXFRkANeiW/SrARXCIuSBsdGkqYm7xbJe -----END CERTIFICATE----- - The hostname in the certificate matches 'sunko02.sunko.local'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS1.1 - Key Exchange: RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed - Simple Client Mode: It is can handshake but peer's certificate not trusted, it is seem like a "bug" or i must using certificate from ssl certificate company?... Any idea? Best Regards, Aldyth M