Hello,<br><br>I have FDS 1.0.4 running using an SSL certificate generated by an Microsoft windows 2003 CA server.<br>I choose this method as opposed to the setupssl.sh script from the wiki because I have read in the list archives that it is the best way to avoid trust issues when setting up PassSync over SSL between FDS and AD. I'm having a hard time finding references for configuring this properly and I know very little about SSL certificates so I'm making some guesses and likely missing a crucial step or two.
<br>The problem is that when trying to bind to the FDS using SSL I get certificate verification errors.<br><br>> # ldapsearch -x -H ldaps://localhost/<br>> ldap_bind: Can't contact LDAP server (-1)<br>> additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
<br><br>Here's how I set up the certificates...<br>1. Generated a CSR using the FDS console wizard and submitted it to the MS CA.<br>2. Imported the CA certificate (called "it") and the signed "server-cert" resulting from step 1 from the MS CA using the FDS admin console.
<br>3. Enabled SSL (port 636) in the directory server using server-cert from step 1.<br><br>I used certutil to display the list of certificates in the FDS cert db.<br>> [alias]# ../shared/bin/certutil -L -d . -P slapd-<instance>-
<br>>
server-cert u,u,u<br>>
it CT,, <br>
<br>Then verified that "server-cert" was considered valid.<br>>
[alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -P slapd-<instance>-<br>>
Enter Password or Pin for "NSS Certificate DB":<br>>
certutil-bin: certificate is valid<br><br>I also verified that that I can connect using openssl client.<br>> # openssl s_client -connect localhost:636 -showcerts -CAfile /path/to/it_ca.crt<br> --snip--<br>> Verify return code: 0 (ok)
<br>> ---<br><br>Any hints as to what I might be doing wrong are greatly appreciated.<br><br>Thanks,<br>-Jake<br><br><br><br><br><br>