I've installed openldap as per <http://www.gentoo.org/doc/en/ldap-howto.xml>. The procedure described on this page generates a self-signed certificate for openldap, however it appears that a self-signed certificate is unacceptable to the TLS subsystem. # ldapsearch -D "cn=Manager,dc=genfic,dc=com" -W ldap_create Enter LDAP Password: ldap_pvt_sasl_getmech ldap_search put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" [ ... lots of cruft, snip, snip!] TLS certificate verification: Error, self signed certificate tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_sasl_interactive_bind_s: Can't contact LDAP server (81) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
direct self-signed certificates are no longer allowed by upstream. you have to properly create your own CA and then a cert for your openldap from there.
Would you (or someone) please include precise instructions on how to do this in the openldap HOWTO on the gentoo website. Once proper instructions are available the bug will be a non-issue - i.e. resolved. I assumed that this was the endgame for a resolution to the problem, but openssl is a horridly complex piece for those of us who don't have the time to learn about all the acronyms, filename extensions, protocols, procedures and the ins and outs of certificate management. I have no idea how to get there. This stuff isn't really well documented for someone who needs to do a specific job in a hurry.
can you check to see if /etc/openldap/ldap.conf has TLS_REQCERT allow in it... when I upgraded from 2.0 to 2.1, this solved the problem. This was added 3 weeks ago to the HOWTO on gentoo.org. Let me know if this fixes it or not.
Thanks. I'll take a look and give it a shot. My original report was filed on the 7th, prolly just before the documentation change was done. I dropped openldap and haven't revisited it since but I'll try again and if the problem is fixed I'll mark this bug as resolved.
Looks like the docs are fixed, at least as far as this bug is concerned. I ran through them with the stable version of openldap (2.0) and it looks like it's working as expected. Didn't need to upgrade to 2.1. Thanks!