On Sat, 2007-12-01 at 13:23 +0000, Timothy Murphy wrote: > Anthony Messina wrote: > > > if you're doing a command line test like ldapsearch, you'll have to add > > -ZZ to enforce TLS encryption with the search. > > Yes, thanks, I had discovered that after some time. > I find I can access the ldap directory from the desktop > on which the openldap server is running: > ------------------------- > [tim@alfred ~]$ ldapsearch -x -ZZ > # extended LDIF > ... > # search result > search: 3 > result: 0 Success > > # numResponses: 7 > # numEntries: 6 > ------------------------- > but not from my laptop: > ------------------------- > [tim@elizabeth ~]$ ldapsearch -x -ZZ > ldap_start_tls: Connect error (-11) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > ------------------------- > > I've never really understood this certificate business. > Is there a simple tutorial on that anywhere? > > One minor source of confusion is that Fedora > seems to keep certificates in /etc/pki/tls/ > whereas all the openldap documentation I have looked at > seems to expect them in other /etc/ directories. > > But thanks very much for your help. > I am making progress, slowly but surely. ---- your laptop...contents of /etc/openldap/ldap.conf are probably the issue...does it recognize your ca cert? TLS_CACERT or TLS_CACERTDIR contain the ca cert? Craig
