how to force openssl command to read ldap.conf by default?

Discussion in 'Mac OS X Server, Xserve, and Networking' started by natadecoco, Feb 14, 2012.

  1. macrumors newbie

    Joined:
    Feb 14, 2012
    #1
    Hi,

    I'm stuck with this openssl problem for a week... What I'm trying to do is to enable SSL via Open Directory. Here is what I did so far:



    - Exported self-signed root certificate authority and certificate from server in .csr format, renamed to .pem and imported this CA in client machine via Keychain Access App. (later also copied to /etc/openldap/mycert)

    - At Terminal window I entered: <openssl s_client -connect aaa.example.com:636 -showcert"> and copied the server certificate that begin with "----BEGIN CERTIFICATE----", pasted on Textedit and saved it with a name "mycert.pem".

    - under /etc/openldap I created mycert directory and pasted those two pem file mentioned above, and rehashed with command <sudo c_rehash> and it created link files that have a .0 extension.

    - at this moment I redo <openssl s_client -connect aaa.example.com:636 -CApath /etc/openldap/mycert> and it returns "Verify return code: 0 (ok)".

    - I thought everything's fine so I modified /etc/openldap/ldap.conf and added the line "TLS_CACERTDIR /etc/openldap/mycert", so that I run again openssl command without -CAPath and then it returned "Verify return code: 21 (unable to verify the first certificate)". What's wrong here...?

    - when I run the command <ldapsearch -V -x -H ldaps://aaa.example.com:636 -b "dc=aaa,dc=example,dc=com"> it returns "result: 0 success". I also opened Directory Utility and double clicked LDAPv3 in the Services tab, and ticked "SSL" box. It seemed that everything went well, but when I restart my iMac/Macbook, at the login window it doesn't show available directory network anymore (without SSL works fine).



    my enviroment is:
    Intel imac 24 late 2006 - snow leopard 10.6.8 Server,
    Intel imac 27 late 2009 - snow leopard 10.6.8,
    macbook pro Intel 2011 - snow leopard 10.6.8.

    If anyone knows how to force openssl to real properly ldap.conf file, or knows how to fix this problem, please answer me. Thanks!
     

Share This Page