With a little side of applesauce...

Tuesday, January 30, 2007

ldapsearch, TLS, and a self-signed certificate

I am using the ldap-utils package on Ubuntu to access our ldap server over TLS, but was having issues with the self-signed certificate causing ldapsearch to return:

mylap~$ ldapsearch -x -h ldap.example.com -p 389 -ZZ -W -D “cn=binduser,dc=example,dc=com” -v -n sn=smith -d -1

TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can’t connect.
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

After googling a bit, I found that I needed to insert the following line into the /etc/ldap/ldap.conf:

LS_CACERT /location/to/my-ca.crt


Serenge - Setup a secure TLS-LDAP server on Debian Sarge


speeves said...

We found a different solution to this, (with different consequences). Add the following to /etc/ldap.conf


Anonymous said...

I realize this post is super old, but you can also put TLS_CACERT and TLS_REQCERT in ~/.ldaprc if you want to just have settings for your current user instead of machine-wide.

Something like:
TLS_CACERT /etc/ssl/certs/ca-certificates.crt

Shannon Eric Peevey said...

Thanks for the follow-up! That is super-helpful!