Manoj Chacko
asked on
Trying to connect the LDAP over SSL
Hi,
I have a wordpress running on Xampp, I cannot get the LDAP to work over SSL.
Any idea how to accomplish this.
Enabling Debug I can see the following error,
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_c ertificate :certifica te verify failed (unable to get local issuer certificate).
Thanks
Manoj
I have a wordpress running on Xampp, I cannot get the LDAP to work over SSL.
Any idea how to accomplish this.
Enabling Debug I can see the following error,
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_c
Thanks
Manoj
To clarify... What is LDAP running on? Same server? different? OS?
ASKER
To Clarify, I am running the webserver using Xampp for windows currently on windows server 2008, only my WordPress site is running on this, ldap is run by a different group, I have the credentials and I am just doing the authentication
What is the name of the certificate on the Windows server 2008 Domain Controller? It should be the same as the FQDN of the server and it should have Server Authentication and Client Authentication enabled on the certificate. The certificate should be from a trusted CA source (not self-signed).
ASKER
So heres the situation.
Name of computer/server is "X"
But I have three instance of wordpress (with three different IPs) running from this ("X","Y","Z")
Setting up LDAP over SSL now for "Y"
Name of computer/server is "X"
But I have three instance of wordpress (with three different IPs) running from this ("X","Y","Z")
Setting up LDAP over SSL now for "Y"
ASKER
So when I generate the local certificate, should it be same as the "server name"
or should it have the site FQDN?
or should it have the site FQDN?
Always use FQDNs on certificates, not short names.
ASKER
Tried this did not work
My error log
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 20, subject: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2, issuer: /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalS ign
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_c ertificate :certifica te verify failed (unable to get local issuer certificate).
ldap_err2string
My error log
TLS trace: SSL_connect:before/connect
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 20, subject: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2, issuer: /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalS
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_c
ldap_err2string
Have you imported the public part of the signer's key into the the key store that the LDAP client is using?
ASKER
how do you do that?
What operating system is your LDAP client running on?
Where does your LDAP client look for trusted certificates?
Where does your LDAP client look for trusted certificates?
Looks like the LDAP client is on a Windows system. Assuming it is using the Windows certificate store, you need to get the public cert of the CA that signed the LDAP server's cert and import it into the Windows certificate store.
Easiest way to do that is to have whomever has that to give it to you in a file with ".crt" as the suffix. Then you put it on the Windows system where you code is and right click on the file and select "Install certificate."
Easiest way to do that is to have whomever has that to give it to you in a file with ".crt" as the suffix. Then you put it on the Windows system where you code is and right click on the file and select "Install certificate."
ASKER
The LDAP server itself is managed by different department, I created a local certificate using the windows server Active Directory Certificate Services, but did not work.
Interestingly. It used to work before I just uprgaded the XAMPP for windows to the latest version and this issue started happening.
Interestingly. It used to work before I just uprgaded the XAMPP for windows to the latest version and this issue started happening.
You can't create your own certificate for somebody else's server. LDAPS is just like any other SSL connection.
The client has to trust the certificate of the server. It does this by having the signer's certificate in its' data store.
Looks like XAMPP uses it own certificate store, read here to see how to get the CA's certificate you need and how to install it:
https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements#Windows_Server_2003_and_2008
The client has to trust the certificate of the server. It does this by having the signer's certificate in its' data store.
Looks like XAMPP uses it own certificate store, read here to see how to get the CA's certificate you need and how to install it:
https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements#Windows_Server_2003_and_2008
ASKER
I tried using the openssl s_client -showcerts -connect to connect to the server it gives me the error
Verify return code: 20 (unable to get local issuer certificate)
Verify return code: 20 (unable to get local issuer certificate)
Did you get anything else other than that message?
ASKER
Yes similar to the google example, but in the end instead of verify ok, I get error
O.K, you got what you need. You should have at least 2 "BEGIN CERTIFICATE/END CERTIFICATE" pairs. You could have 3 pairs.
You want to save the output if the last "BEGIN CERTIFICATE/END CERTIFICATE" into a file.
Then issue the same command, but add "-CAfile xxxx" where xxxx is the name of the file you save the cert into. You should now get a zero.
If you do, then you want to follow the instruction about creating the the php.ini file and the ".pem" file
You want to save the output if the last "BEGIN CERTIFICATE/END CERTIFICATE" into a file.
Then issue the same command, but add "-CAfile xxxx" where xxxx is the name of the file you save the cert into. You should now get a zero.
If you do, then you want to follow the instruction about creating the the php.ini file and the ".pem" file
ASKER
I tried that
I tried the command openssl s_client -showcerts -connect site:636 -CAFile filename.crt
I get the following error "verify return code: 2(unable to get issuer certificate)"
I tried the command openssl s_client -showcerts -connect site:636 -CAFile filename.crt
I get the following error "verify return code: 2(unable to get issuer certificate)"
Than normally means there is an intermediary cert. How many certificates were there when you did the original showcerts?
If there was 3, then try putting the last in the file and try.
Is you servers cert signed by a well know CA or is it signed by an internal CA?
If there was 3, then try putting the last in the file and try.
Is you servers cert signed by a well know CA or is it signed by an internal CA?
ASKER
Showcerts only showing 2 certs
Is your server's cert signed by a well know CA or is it signed by an internal CA?
ASKER
Well known CA GlobalSign
Then can you attach the output from your showcerts and I can look to see what may be missing.
You should be able to go to GlobalSign's website and if you know what level/type of cert you purchased they should have a file for you to download with everything you need.
You should be able to go to GlobalSign's website and if you know what level/type of cert you purchased they should have a file for you to download with everything you need.
ASKER
apache\bin>openssl s_client -showcerts -connect [Our ldap server address]:636
CONNECTED(0000016C)
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - S
HA256 - G2
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/businessCategory=Privat e Organization/serialNumber= 354000/jur isdictionC =US
/jurisdictionST=Pennsylvan ia/C=US/ST =Pennsylva nia/L=Phil adelphia/s treet=1801 Nor
th Broad Street/O=Temple University/CN=[Our ldap server address]
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2
-----BEGIN CERTIFICATE-----
Cert Values
-----END CERTIFICATE-----
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalS ign
-----BEGIN CERTIFICATE-----
Cert Values
-----END CERTIFICATE-----
---
Server certificate
subject=/businessCategory= Private Organization/serialNumber= 354000/jur isdictionC
=US/jurisdictionST=Pennsyl vania/C=US /ST=Pennsy lvania/L=P hiladelphi a/street=1 801
North Broad Street/O=Temple University/CN=[Our ldap server address]
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 -
G2
---
No client certificate CA names sent
---
SSL handshake has read 3417 bytes and written 675 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
Session-ID: 39DB9807B7915877AF8FD68A79 15626C6E1F EBC7578BB0 A749E39C5D EDC98322
Session-ID-ctx:
Master-Key: (Key text)
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1464797751
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
CONNECTED(0000016C)
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - S
HA256 - G2
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/businessCategory=Privat
/jurisdictionST=Pennsylvan
th Broad Street/O=Temple University/CN=[Our ldap server address]
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2
-----BEGIN CERTIFICATE-----
Cert Values
-----END CERTIFICATE-----
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalS
-----BEGIN CERTIFICATE-----
Cert Values
-----END CERTIFICATE-----
---
Server certificate
subject=/businessCategory=
=US/jurisdictionST=Pennsyl
North Broad Street/O=Temple University/CN=[Our ldap server address]
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 -
G2
---
No client certificate CA names sent
---
SSL handshake has read 3417 bytes and written 675 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
Session-ID: 39DB9807B7915877AF8FD68A79
Session-ID-ctx:
Master-Key: (Key text)
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1464797751
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
I need the whole thing, including the the stuff between the BEGIN/END.
ASKER
apache\bin>openssl s_client -showcerts -connect [Our ldap server address]:636
CONNECTED(0000016C)
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - S
HA256 - G2
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/businessCategory=Privat e Organization/serialNumber= 354000/jur isdictionC =US
/jurisdictionST=Pennsylvan ia/C=US/ST =Pennsylva nia/L=Phil adelphia/s treet=1801 Nor
th Broad Street/O=Temple University/CN=[Our ldap server address]
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2
-----BEGIN CERTIFICATE-----
MIIIKDCCBxCgAwIBAgIMcYPITD 3d5uenbS7F MA0GCSqGSI b3DQEBCwUA MGIxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKEx BHbG9iYWxT aWduIG52LX NhMTgwNgYD VQQDEy9H
bG9iYWxTaWduIEV4dGVuZGVkIF ZhbGlkYXRp b24gQ0EgLS BTSEEyNTYg LSBHMjAe
Fw0xNjA1MTEyMTQ2MDlaFw0xOD A2MzAyMDMx MDJaMIH5MR 0wGwYDVQQP DBRQcml2
YXRlIE9yZ2FuaXphdGlvbjEPMA 0GA1UEBRMG MzU0MDAwMR MwEQYLKwYB BAGCNzwC
AQMTAlVTMR0wGwYLKwYBBAGCNz wCAQITDFBl bm5zeWx2YW 5pYTELMAkG A1UEBhMC
VVMxFTATBgNVBAgTDFBlbm5zeW x2YW5pYTEV MBMGA1UEBx MMUGhpbGFk ZWxwaGlh
MSAwHgYDVQQJExcxODAxIE5vcn RoIEJyb2Fk IFN0cmVldD EaMBgGA1UE ChMRVGVt
cGxlIFVuaXZlcnNpdHkxGjAYBg NVBAMTEWxk YXAtci50ZW 1wbGUuZWR1 MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMI IBCgKCAQEA yJGgZb5kUb iU5zxfUN8w JOwMy3v1
MzC80MD/ZC5hNvJ83gzmP9PG/2 4gXgM6MXHE /HrKBs6L5S dOjazrvuRh z9aT76HV
SVoeoCxJQtSR4mh9YSP19oI3Q1 RGJcwNQ0IL Img3TEh5SV H0mgp52L7R gqA9m2wT
YMM6ZZXiRH8MjYot0W569rvijj mAfE0p2hjX Z2nkVUdpnU MsuCpqaj48 ZnTR4HjX
1OqgyUhWotiV4+Vw3mATqbklG/ /H5Q0zry4C 01uFardXAy GKkcdCHEED dudyyKA4
wYr9NDVc/HhPppoQlisSBG0vLC OVHQ/0onI+ Qkg/IYJiBy YGI1/5WHiB 5wIDAQAB
o4IERDCCBEAwDgYDVR0PAQH/BA QDAgWgMIGU BggrBgEFBQ cBAQSBhzCB hDBHBggr
BgEFBQcwAoY7aHR0cDovL3NlY3 VyZS5nbG9i YWxzaWduLm NvbS9jYWNl cnQvZ3Nl
eHRlbmR2YWxzaGEyZzJyMi5jcn QwOQYIKwYB BQUHMAGGLW h0dHA6Ly9v Y3NwMi5n
bG9iYWxzaWduLmNvbS9nc2V4dG VuZHZhbHNo YTJnMjBVBg NVHSAETjBM MEEGCSsG
AQQBoDIBATA0MDIGCCsGAQUFBw IBFiZodHRw czovL3d3dy 5nbG9iYWxz aWduLmNv
bS9yZXBvc2l0b3J5LzAHBgVngQ wBATAJBgNV HRMEAjAAME MGA1UdHwQ8 MDowOKA2
oDSGMmh0dHA6Ly9jcmwuZ2xvYm Fsc2lnbi5j b20vZ3MvZ3 NleHRlbmR2 YWxzaGEy
ZzIuY3JsMBwGA1UdEQQVMBOCEW xkYXAtci50 ZW1wbGUuZW R1MB0GA1Ud JQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAj AdBgNVHQ4E FgQUuJG2BK v4c1rY3hlL WWXZYFdA
9FcwHwYDVR0jBBgwFoAU2kB3Q2 Uc+P6n4/Rk gj5NQxMiMQ IwggJxBgor BgEEAdZ5
AgQCBIICYQSCAl0CWwB2AGj2mP gfZIK+Oozu uSgdTPxxUV 1nk9RE0Qpn rLtPT/vE
AAABVKHIy90AAAQDAEcwRQIhAL fJuNYnqH58 XKdjqI3b8b Y/uVxtzGhb sxq8kYXY
BiErAiBAkiaqVqRV5BznbGsXRa fcP978nKTP TP3e3kYG1p IeJwB3AKS5 CZC0GFgU
h7sTosxncAo8NZgE+RvfuON3zQ 7IDdwQAAAB VKHI0YsAAA QDAEgwRgIh AIHFiB5u
F035bevPhvekX5AnsTAhiO373L RbkTE1e4zB AiEA3aAdWX Dv9ak/T+PG gmUp4XnL
tsv1UhcYU37qWcvAIZkAdgB0Yb SgnPs9QddR WVdbLnZJpE Wo0ncJsMxW SmSCt+tB
owAAAVShyNvrAAAEAwBHMEUCIA YFoFM9HeMI l1YHd7Qt5C C3NJ4wpv6m YB82dml5
7RzkAiEAiwZrP2gj90E0iIcQbo AfS34DiY41 wS5r9Xun+Z DxVP8AdwDu S723dc5g
uuFCaR+r4Z5mow9+X7By2IMAxH uJeqj9ywAA AVShyORwAA AEAwBIMEYC IQCKSao4
8PkcUVUvKJTcGNjWYLEtM6/GnR TOZHEYB6PL ugIhANhU4t 4oAGQyP6X5 8BHaCTiA
YgrKVNuxML/ToX7B/dQ9AHcAVh QGmi/XwuzT 9eG9RLI+x0 Z2ubyZEVzA 75SYVdaJ
0N0AAAFUocjo8wAABAMASDBGAi EA+q+1pDMA 8bGP9MsM9I b1C7pvIEnh VXzUh1JK
QayRq0oCIQClM3+3bJEGxtkk/q iDA9gajgX2 X3dUDhmb8o 9q4oURajAN BgkqhkiG
9w0BAQsFAAOCAQEAka68FVI26W dqFwoHL/bD PM794oXrk7 7hlihI6PlB BPxKuSyr
uStsE2fzQH4dTtcUadUJXVxmHw TYPPVtgXTz hoQUFxGePJ xsb0/2VjA/ vJs7zxX0
oCTVogBp052zsoPztX2vk5sYQ1 kf3eg8f0j4 n0IJxGpcNv l1IoSmdC+m v6HtM3xV
F/u5dK+1rVlYIUkslwojMriLfR k5yzGhWD1+ Jrv+fzcH0V 2/mnfn6unm HuHagawt
qJWt4tYMmGs1beWukQ0t1dcsiE SC8fUniIIM 9f3Y46LV2z oxyHDjOrud NSM1eY2v
KEmuq8QgyiXjvx3aJ3a9Pd5GUi VIjgNrUNLZ yA==
-----END CERTIFICATE-----
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalS ign
-----BEGIN CERTIFICATE-----
MIIEXTCCA0WgAwIBAgILBAAAAA ABRE7wSlUw DQYJKoZIhv cNAQELBQAw TDEgMB4G
A1UECxMXR2xvYmFsU2lnbiBSb2 90IENBIC0g UjIxEzARBg NVBAoTCkds b2JhbFNp
Z24xEzARBgNVBAMTCkdsb2JhbF NpZ24wHhcN MTQwMjIwMT AwMDAwWhcN MjExMjE1
MDgwMDAwWjBiMQswCQYDVQQGEw JCRTEZMBcG A1UEChMQR2 xvYmFsU2ln biBudi1z
YTE4MDYGA1UEAxMvR2xvYmFsU2 lnbiBFeHRl bmRlZCBWYW xpZGF0aW9u IENBIC0g
U0hBMjU2IC0gRzIwggEiMA0GCS qGSIb3DQEB AQUAA4IBDw AwggEKAoIB AQCj6qHS
w0nl9xxdr8OSQq+KPNzvTOYvXw wrn4pQMGbv TshPIUr25/ JOG4xTV7Ce yFv3uEZV
sxrtwmr+9BvsSEYOj+D74JEZ35 kYby5Rr9r2 mspkb5lUEH TqPMiqgE1D N/vIpH8F
nTeSvZgANVqvu1t0FQ68vMbpt4 bn7q5NSwRM K6C0ZUi4wz rNdbs3yUrA ARHZvz8V
hmAZazQgRvWGZg8k9Mxin5+eHf 0QpJle8EHr sJT/LLM21u sdpxdf385q d8eaxDJj
pwat8xIbnTByWQvrcusq0nd7kX fbAPzYb/Uv 2HrFDDqge1 6Q852EWcgB 2ZE3VuU6
U5OtYEknJdnh2oLXAgMBAAGjgg EoMIIBJDAO BgNVHQ8BAf 8EBAMCAQYw EgYDVR0T
AQH/BAgwBgEB/wIBADAdBgNVHQ 4EFgQU2kB3 Q2Uc+P6n4/ Rkgj5NQxMi MQIwRwYD
VR0gBEAwPjA8BgRVHSAAMDQwMg YIKwYBBQUH AgEWJmh0dH BzOi8vd3d3 Lmdsb2Jh
bHNpZ24uY29tL3JlcG9zaXRvcn kvMDYGA1Ud HwQvMC0wK6 ApoCeGJWh0 dHA6Ly9j
cmwuZ2xvYmFsc2lnbi5uZXQvcm 9vdC1yMi5j cmwwPQYIKw YBBQUHAQEE MTAvMC0G
CCsGAQUFBzABhiFodHRwOi8vb2 NzcC5nbG9i YWxzaWduLm NvbS9yb290 cjIwHwYD
VR0jBBgwFoAUm+IHV2ccHsBqBt 5ZtJot39wZ hi4wDQYJKo ZIhvcNAQEL BQADggEB
AEDvEpCDdJaK+Tq6m1lKM9PvTB MrtZHLyZbt bvVsZPHGhL JGWVpYglLx NKBUQWQg
q9hXO9QUdHEYNswTwcdwwPVFZg 5xroevkpTr cUAJ9Mx39x uThYpKrjOF 5nSu9RCm
PslZg8P5XJb5KPc0e+k4xpE8T3 FYdf7hVnV2 zUDEFUA5qU H9ZBAPl4UH 6Hlk0FtN
TJsnl9NzXpJ+H0jiyrkFl07vLB xrTYpfeFOV zQI5wi/maU /2cdGZtX9t IN5Dj9sA
G6M7N97RP23ztpB2Haydb4RPJJ QJduCdqE33 TTePpC9fS0 HkSRaXzHts rxHKllQJ
iyRRrl3tovG7UxBNl/oadwM=
-----END CERTIFICATE-----
---
Server certificate
subject=/businessCategory= Private Organization/serialNumber= 354000/jur isdictionC
=US/jurisdictionST=Pennsyl vania/C=US /ST=Pennsy lvania/L=P hiladelphi a/street=1 801
North Broad Street/O=Temple University/CN=[Our ldap server address]
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 -
G2
---
No client certificate CA names sent
---
SSL handshake has read 3417 bytes and written 675 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
Session-ID: 39DB9807B7915877AF8FD68A79 15626C6E1F EBC7578BB0 A749E39C5D EDC98322
Session-ID-ctx:
Master-Key: (Key text)
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1464797751
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
CONNECTED(0000016C)
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - S
HA256 - G2
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/businessCategory=Privat
/jurisdictionST=Pennsylvan
th Broad Street/O=Temple University/CN=[Our ldap server address]
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2
-----BEGIN CERTIFICATE-----
MIIIKDCCBxCgAwIBAgIMcYPITD
BgNVBAYTAkJFMRkwFwYDVQQKEx
bG9iYWxTaWduIEV4dGVuZGVkIF
Fw0xNjA1MTEyMTQ2MDlaFw0xOD
YXRlIE9yZ2FuaXphdGlvbjEPMA
AQMTAlVTMR0wGwYLKwYBBAGCNz
VVMxFTATBgNVBAgTDFBlbm5zeW
MSAwHgYDVQQJExcxODAxIE5vcn
cGxlIFVuaXZlcnNpdHkxGjAYBg
BgkqhkiG9w0BAQEFAAOCAQ8AMI
MzC80MD/ZC5hNvJ83gzmP9PG/2
SVoeoCxJQtSR4mh9YSP19oI3Q1
YMM6ZZXiRH8MjYot0W569rvijj
1OqgyUhWotiV4+Vw3mATqbklG/
wYr9NDVc/HhPppoQlisSBG0vLC
o4IERDCCBEAwDgYDVR0PAQH/BA
BgEFBQcwAoY7aHR0cDovL3NlY3
eHRlbmR2YWxzaGEyZzJyMi5jcn
bG9iYWxzaWduLmNvbS9nc2V4dG
AQQBoDIBATA0MDIGCCsGAQUFBw
bS9yZXBvc2l0b3J5LzAHBgVngQ
oDSGMmh0dHA6Ly9jcmwuZ2xvYm
ZzIuY3JsMBwGA1UdEQQVMBOCEW
CCsGAQUFBwMBBggrBgEFBQcDAj
9FcwHwYDVR0jBBgwFoAU2kB3Q2
AgQCBIICYQSCAl0CWwB2AGj2mP
AAABVKHIy90AAAQDAEcwRQIhAL
BiErAiBAkiaqVqRV5BznbGsXRa
h7sTosxncAo8NZgE+RvfuON3zQ
F035bevPhvekX5AnsTAhiO373L
tsv1UhcYU37qWcvAIZkAdgB0Yb
owAAAVShyNvrAAAEAwBHMEUCIA
7RzkAiEAiwZrP2gj90E0iIcQbo
uuFCaR+r4Z5mow9+X7By2IMAxH
8PkcUVUvKJTcGNjWYLEtM6/GnR
YgrKVNuxML/ToX7B/dQ9AHcAVh
0N0AAAFUocjo8wAABAMASDBGAi
QayRq0oCIQClM3+3bJEGxtkk/q
9w0BAQsFAAOCAQEAka68FVI26W
uStsE2fzQH4dTtcUadUJXVxmHw
oCTVogBp052zsoPztX2vk5sYQ1
F/u5dK+1rVlYIUkslwojMriLfR
qJWt4tYMmGs1beWukQ0t1dcsiE
KEmuq8QgyiXjvx3aJ3a9Pd5GUi
-----END CERTIFICATE-----
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalS
-----BEGIN CERTIFICATE-----
MIIEXTCCA0WgAwIBAgILBAAAAA
A1UECxMXR2xvYmFsU2lnbiBSb2
Z24xEzARBgNVBAMTCkdsb2JhbF
MDgwMDAwWjBiMQswCQYDVQQGEw
YTE4MDYGA1UEAxMvR2xvYmFsU2
U0hBMjU2IC0gRzIwggEiMA0GCS
w0nl9xxdr8OSQq+KPNzvTOYvXw
sxrtwmr+9BvsSEYOj+D74JEZ35
nTeSvZgANVqvu1t0FQ68vMbpt4
hmAZazQgRvWGZg8k9Mxin5+eHf
pwat8xIbnTByWQvrcusq0nd7kX
U5OtYEknJdnh2oLXAgMBAAGjgg
AQH/BAgwBgEB/wIBADAdBgNVHQ
VR0gBEAwPjA8BgRVHSAAMDQwMg
bHNpZ24uY29tL3JlcG9zaXRvcn
cmwuZ2xvYmFsc2lnbi5uZXQvcm
CCsGAQUFBzABhiFodHRwOi8vb2
VR0jBBgwFoAUm+IHV2ccHsBqBt
AEDvEpCDdJaK+Tq6m1lKM9PvTB
q9hXO9QUdHEYNswTwcdwwPVFZg
PslZg8P5XJb5KPc0e+k4xpE8T3
TJsnl9NzXpJ+H0jiyrkFl07vLB
G6M7N97RP23ztpB2Haydb4RPJJ
iyRRrl3tovG7UxBNl/oadwM=
-----END CERTIFICATE-----
---
Server certificate
subject=/businessCategory=
=US/jurisdictionST=Pennsyl
North Broad Street/O=Temple University/CN=[Our ldap server address]
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 -
G2
---
No client certificate CA names sent
---
SSL handshake has read 3417 bytes and written 675 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
Session-ID: 39DB9807B7915877AF8FD68A79
Session-ID-ctx:
Master-Key: (Key text)
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1464797751
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
When I tried to verify it, it seemed to work . I get Verify return code: 0 (ok)
How do I install this.
How do I install this.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So as stated on the above site, I saved the go.txt as crt generated a Pem and copied it to openldap/sysconf/ folder and copied the path to ldap.conf. restarted the server error is still there
Are you using PHP to make the LDAP calls?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What version of xammp are you running?
ASKER
Latest version XAMPP 7.0.6
I am guessing this the cause of all this problem, location for the ldap.conf might have changed?
It was working fine right before the update and I had the ldap.conf in c:/openldap/sysconf/ldap.c onf
I am guessing this the cause of all this problem, location for the ldap.conf might have changed?
It was working fine right before the update and I had the ldap.conf in c:/openldap/sysconf/ldap.c
ASKER
That was it, It was the location, created a new folder in xampp/apache/
called %SYSCONFDIR% and copied over ldap.conf here.
and it worked.
Thanks a lot
called %SYSCONFDIR% and copied over ldap.conf here.
and it worked.
Thanks a lot
ASKER
Works, It was the location mainly
You may want to make a note, because it looks like the most recent version of XAMMP may have "fixed" that issue and expect the files to be in the openldap/sysconf/, I think.
I installed the lastest XAAMP and the dll file that seems to control where PHP looks for things does not have %SYSCONFDIR% in the file path.
I installed the lastest XAAMP and the dll file that seems to control where PHP looks for things does not have %SYSCONFDIR% in the file path.
ASKER
Ok, will keep that in mind during upgrade