[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP SSL errors

To: openldap-software@OpenLDAP.org
Subject: OpenLDAP SSL errors
From: "Chris Black" <cblack@eragen.com>
Date: Tue, 31 Jul 2001 16:48:09 -0400
Content-disposition: inline
User-agent: Mutt/1.3.12i

I am trying to get OpenLDAP over SSL working so I can use it 
securely for logins. I am running on SuSE 7.1 w/ OpenLDAP 2.0.7.
I have setup slapd.conf with the following SSL options:
# SSL/TLS config
TLSCertificateFile      /etc/openldap/server.pem
TLSCertificateKeyFile   /etc/openldap/server.pem
TLSCACertificateFile    /etc/openldap/server.pem
TLSVerifyClient false


The server.pem file was generated by:
openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365

I made sure that the common name was set to the FQDN of the ldap 
server.

On a client machine, I have ldap.conf setup as:
HOST ldapserver
BASE dc=sub,dc=domain,dc=com
URI ldaps://ldapserver
ssl yes


On the ldap server I start in debug mode with:
/usr/lib/openldap/slapd -d 1 -h "ldaps:///"
and get:
@(#) $OpenLDAP: slapd 2.0.7-Release (Mon Jun 18 20:50:20 GMT 2001) $
        root@Hahn:/usr/src/packages/BUILD/openldap-2.0.7/servers/slapd
daemon_init: listen on ldaps:///
daemon_init: 1 listeners to open...
ldap_url_parse(ldaps:///)
daemon: socket() failed errno=97 (Address family not supported by protocol)
daemon: initialized ldaps:///
daemon_init: 1 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
slapd startup: initiated.
slapd starting


I am a bit concerned about the daemon socket() error but don't know 
why it is happening.

After starting the ldap server in this way I try to run an 
ldapsearch against it from a client:
ldapsearch -H ldaps://ldapserver -x -b "" -s base

And get a segmentation fault on the client.
The output from from the slapd server debug is:
ldap_pvt_gethostbyname_a: host=mcnode1.EraGen.com, r=0
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
ber_get_next
ber_get_next on fd 9 failed errno=0 (Success)
connection_read(9): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=9 for close
connection_close: conn=0 sd=9
TLS trace: SSL3 alert write:warning:close notify


The two lines I think might be interesting is the "error in SSLv3 
read client certificate A" and the line:
ber_get_next on fd 9 failed errno=0 (Success)

ldap logins work if I don't use SSL so the problem must be with the 
SSL functionality.

I have been looking through the mailing list archives and have seen 
people post with similar problems, but nobody seems to have 
posted a fix as far as I have seen.

Has anyone actually gotten OpenLDAP over SSL/TLS working? If so, 
could you please let me know what your config files look like? What 
you did differently than me?
Also, if someone could tell me what some of the error messages 
from the debug output mean, I might be able to try a few things 
and try to track it down. If I do find a fix and get this working, 
I will post my solution.

Thanks.

Chris

Prev by Date: Newbie trying to insert data into directory
Next by Date: Performance, blocking, corruption...
Index(es):
- Chronological
- Thread