Yeah -- So what I did is drop cacert.asc under /tmp/ldap/certs for testing purposes. I then added a line "TLS_CACERTDIR /tmp/ldap/certs" to /etc/openldap/ldap.conf. The logs on the directory server (and from adding a -d 1 option to ldapsearch) indicated that the client was rejecting the certificate. So I used certutil with cacert.asc to create the cert8.db and key3.db files under /tmp/ldap/certs (I now have cacert.asc, cert8.db, key3.db, and secmod.db under that directory). Same result. Then I went back to /etc/openldap/ldap.conf and set "TLS_REQCERT never", and commented out the cacertdir directive. With that configuration, ldapsearch works with the -ZZ options. So for some reason, it isn't liking my CA cert, and I'm not sure why. <br>
<br><br><div class="gmail_quote">On Thu, Sep 27, 2012 at 9:46 PM, Grzegorz Dwornicki <span dir="ltr"><<a href="mailto:gd1100@gmail.com" target="_blank">gd1100@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p>Did you install ca.cert on system and setup /etc/openldap/ldap.conf ?</p>
<p>Greg.</p>
<div class="gmail_quote">28 wrz 2012 05:11, "Kyle Flavin" <<a href="mailto:kyle.flavin@gmail.com" target="_blank">kyle.flavin@gmail.com</a>> napisał(a):<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div class="h5">
Hi, I've been struggling to setup 389 Directory server with Start TLS.<br><br>I have a multi-master replication working with four server. From an external client running openldap's ldapsearch, I'm trying to do the following:<br>
<br>ldapsearch -ZZ -x -h "myserver" -b "dc=example,dc=com" -D "cn=Directory Manager" -W ""<br><br>I get an unsupported protocol error on servers that do not have certificates installed.<br>
<br>In an attempt to resolve this, I tried to install a self-signed cert. I created a ca.cert and a server.crt, and imported them into the Directory Server. I then imported the ca.cert to the admin server. When I attempted to import the same server.crt to the admin server, I got an error message stating the certificate was for another host. Since the admin server and directory server reside on the same host, if I generate a new request, it will have an identical host name (I'm not sure if that's relevant to my issue). After all of that, I now receive a "Connect Error SSL3_GET_SERVER_CERTIFICATE:certificate verify failed". I'm guessing I need to import the root cert onto the client somehow, but I'm not sure how to go about doing that.<br>
<br>This has become pretty time consuming, so I was hoping that someone more knowledgeable could confirm that I'm at least travelling down the right path. I've been following this Red Hat document:<br><br><a href="https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_SSL.html#Starting_the_Server_with_SSL_Enabled-Enabling_SSL_in_the_DS_Admin_Server_and_Console" target="_blank">https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_SSL.html#Starting_the_Server_with_SSL_Enabled-Enabling_SSL_in_the_DS_Admin_Server_and_Console</a><br>
<br>Thanks,<br>Kyle<br><br>
<br></div></div><span class="HOEnZb"><font color="#888888">--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></font></span></blockquote></div>
<br>--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></blockquote></div><br>