With a little side of applesauce...

Tuesday, January 30, 2007

ldapsearch, TLS, and a self-signed certificate

I am using the ldap-utils package on Ubuntu to access our ldap server over TLS, but was having issues with the self-signed certificate causing ldapsearch to return:

mylap~$ ldapsearch -x -h ldap.example.com -p 389 -ZZ -W -D “cn=binduser,dc=example,dc=com” -v -n sn=smith -d -1



TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can’t connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

After googling a bit, I found that I needed to insert the following line into the /etc/ldap/ldap.conf:

LS_CACERT /location/to/my-ca.crt

References:

Serenge - Setup a secure TLS-LDAP server on Debian Sarge
http://72.14.209.104/search?q=cache:Vl7cnIM_57IJ:www.serenge.nl/index.php%3Foption%3Dcom_content%26task%3Dview%26id%3D33%26Itemid%3D32+debian+ldapsearch+ssl&hl=en&gl=us&ct=clnk&cd=6&client=firefox

3 comments:

speeves said...

We found a different solution to this, (with different consequences). Add the following to /etc/ldap.conf

TLS_REQCERT never

Anonymous said...

I realize this post is super old, but you can also put TLS_CACERT and TLS_REQCERT in ~/.ldaprc if you want to just have settings for your current user instead of machine-wide.

Something like:
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT demand

Shannon Eric Peevey said...

Thanks for the follow-up! That is super-helpful!