I don't know squat about LDAP... how to get client to trust server cert?
Any LDAP gurus...
Where is the Zimbra LDAP CA file and how do I install it on a client so I can do LDAP with TLS queries to the Zimbra Server?
I figured out how I can manually start LDAPS by editing /opt/zimbra/bin/ldap, but after doing that and reading more, I realized that I don't need to do that because TLS can be initiated over regular LDAP on port 389, and that is what zimbra is setup to do.
The ldapsearch command I'm running is now:
So, the problem I'm running into now is that the client machine doesn't trust the SSL certificate used by Zimbra. When I run ldapsearch with -Z (start TLS) from the client to Zimbra, I get this:
ldapsearch -x -Z -v -H 'ldap://zimbra.mydomain.com' -b 'ou=people,dc=mydomain,dc=com' -D 'uid=jdell,ou=people,dc=mydomain,dc=com' -W
Docs here: http://www.openldap.org/faq/data/cache/185.html suggest that you should add the CA to the trusted CA's on the client.
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Where is the CA file that Zimbra uses for generating it's certificates?
I see the slapd.key and slapd.crt in /opt/zimbra/conf but those are not CA files according to /opt/zimbra/conf/slapd.conf, they are TLSCertificateFile, and TLSCertificateKeyFile, not CA files.
If I can't get the CA file, can you configure a client with just a copy the of the slapd.crt and slapd.key?