You are not logged in.
Using an Arch System. I am trying to connect to a LDAP server via ldaps:
>> cat /etc/openldap/ldap.conf
BASE <redacted>
URI ldaps://ldap.<redacted>.de
TLS_REQCERT demand
TLS_CACERTDIR /usr/share/ca-certificates/trust-source/
#TLS_CACERT /usr/share/ca-certificates/trust-source/mozilla.trust.p11-kitProblem:
ldapsearch with TLS_CACERTDIR set and TLS_CACERT commented out (as shown above) does not work, the same query with TLS_CACERT set (and TLS_CACERTDIR commented out) does workl
> ldapsearch -Z -LLL -x -D "<redacted>" -w "<redacted>" -b "<redacted>" -s sub "(objectClass=*)" givenName
ldap_start_tls: Can't contact LDAP server (-1)
additional info: error:0A000086:SSL routines::certificate verify failed (unable to get local issuer certificate)I am lost: Why does referencing a single CACertFile work - but using CACertDir not.
Additional info: /usr/share/ca-certificates is unchanged (distro default)
Help please! :-)
Last edited by sonnyka (2024-12-15 09:46:33)
Offline
Reading the openldap documentation on TLS_CACERTDIR suggests that the directory needs to be managed by OpenSSL's c_rehash. The directory you used is not managed by this. You can see this by the presence of the hashed certificates (these are symlinks with names like f387163d.0, check /etc/ssl/certs for examples). Run the c_rehash to generate the hashed certificates.
Word of advice:
Better to not meddle with the system directory and link the certificate in a different location and hash it there or try /etc/ssl/certs/.
Edit: Grammar
Last edited by lmn (2024-12-17 21:35:26)
Offline