From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Description of problem: When trying to setup an OpenLDAP server to use TLS it can not use the pre-generated slapd.pem certificate. It will always fail with a Connect error (91) aditional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. From the information I found this is due to a few reasons, first is that the common name in the certificate doesn't match the host name. But that is only the start, also with the 2.1 version of OpenLDAP the certificate must be signed by a CA, slef created or commercial. Also new to the 2.1 code is the addition of the TLS_CACERT line required in the /etc/openldap/ldap.conf file. After following the steps found at http://www.openldap.org/faq/data/cache/185.html the server now works with TLS like it should. I believe this is something that could easily be fixed for the next release and could save a lot of headaches. (Or all the TLS configuration stuff could be left out so as not to be confusing!) Version-Release number of selected component (if applicable): 2.1.22 How reproducible: Always Steps to Reproduce: 1. Setup an OpenLDAP server 2. ldapsearch ... -ZZ 3. fail Additional info:
This can be fixed by adding the line TSL_REQCERT allow to /etc/openldap/slapd.conf I just did a fresh re-install of openldap-servers and was able to use the pre-generated slapd.pem without trouble.
added line TLS_REQCERT allow to slapd.conf file on a new install of entire OS and used defaults for other TLS settings in the file (pre- generated slapd.pem) and still get a ldap_start_tls: Connect error (91) ....certificate verify failed I still believe the main reason is that the pregenerated cert is not signed by a CA.
I'm unable to connect to any LDAP server using TLS ... even ones that I can verify are good (by using the same query on a RH8 box). For example, the following command succeeds on a RH8 box, but the same command fails on a fresh-installed Fedora Core1 box: ldapsearch -x -ZZ -h ldap.yoyoweb.com -p 1389 -b \'dc=yoyoweb,dc=com' '(uid=tprime)' The error is: ldap_start_tls: Protocol error (2) additional info: unsupported extended operation
... more information ... part of the problem seems to be the port number? I set up a server on port 389, and again the query works flawlessly on RH8, but now on Fedora 1 I get: ldap_start_tls: Connect error (91) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Same problem for me on Fedora Core 2. I have disabled TLS for the time being but a side effect of this is that authentication to gdm no longer works (see bug 97676 -- GDM LDAP User Authentication Fails). The work around for that is to switch to KDM by entering: DISPLAYMANAGER="KDE" in /etc/sysconfig/desktop I still believe that it's a bug for gdm to require TLS or SSL on LDAP connections when "ssl no" is set in /etc/ldap.conf
You actually want to add TSL_REQCERT allow to /etc/openldap/ldap.conf (not slapd.conf)
Fedora Core 1 is maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC5 updates or in the FC6 test release, reopen and change the version to match. Thanks! NOTE: Fedora Core 1 is reaching the final end of support even by the Legacy project. After Fedora Core 6 Test 2 is released (currently scheduled for July 26th), there will be no more security updates for FC1. Please use these next two weeks to upgrade any remaining FC1 systems to a current release.
Note that FC1 and FC2 are no longer supported even by Fedora Legacy. Many changes have occurred since these older releases. Please install a supported version of Fedora Core and retest. If this still occurs on FC3 or FC4, please assign to that version and Fedora Legacy. If it still occurs on FC5 or FC6, please reopen and assign to the correct version. Thanks!