[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ldap-ssl trouble .....
Port 636 is used for LDAP on SSL. This means that SSL is part of the
connection from the very beginning. This is the way SSL was used with
LDAPv2, but is not
part of any documented standard. The "-Z" option to ldapsearch uses the
Start TLS request which is defined in LDAPv3. This assumes a connection that
was created in the clear, and which then has TLS/SSL activated on it in
response to this Start TLS request.
By setting up your ldap.conf in this manner you're trying to initiate a
clear text connection on a port that is expecting SSL, which obviously
doesn't work. If you're going to use Start TLS you don't need to use port
636 at all. If you want to use port 636, you cannot use Start TLS on that
port because TLS will already be active before any LDAP requests can be
processed.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Kaufmann
> Lionel
> Sent: Thursday, February 14, 2002 4:40 AM
> To: openldap-software@OpenLDAP.org
> Subject: ldap-ssl trouble .....
>
>
> Hello everybody !
>
> Here is my compilation :
>
> #> CPPFLAGS=-I/usr/local/openssl-0.9.6/include
> #> export CPPFLAGS
> #> LDFLAGS=-L/usr/local/openssl-0.9.6/lib-dir
> #> export LDFLAGS
> #> configure --prefix =/usr/local/Ldap-srv --with-tls
> #> make depend / make / make install
>
> First working with standard ldap://
> I 've created the database and import it in ldif format....
> Some search request... everything's fine !!! :o)
>
> Then decide to turn server to ldap-ssl
> I create the key
>
> #> openssl req -nodes -new -x509 -keyout MyCAkey.pem -out MyCAcert.pem
>
> And I add the lines in slapd.conf
>
> TLSCertificateFile /usr/local/LDAP-SRV/key/MyCAcert.pem
> TLSCertificateKeyFile /usr/local/LDAP-SRV/key/MyCAkey.pem
>
> #>./slapd -d 1 -h "ldap://neon.sunflo.fr ldaps://neon.sunflo.fr"
>
> The server start correctly :
>
> @(#) $OpenLDAP: slapd 2.0.21-Release (mer fév 6 10:13:12 CET 2002) $
> root@neon:/usr/local/openldap-2.0.21/servers/slapd
> daemon_init: listen on ldap://neon.sunflo.fr
> daemon_init: listen on ldaps://neon.sunflo.fr
> daemon_init: 2 listeners to open...
> ldap_url_parse_ext(ldap://neon.sunflo.fr)
> daemon: initialized ldap://neon.sunflo.fr
> ldap_url_parse_ext(ldaps://neon.sunflo.fr)
> daemon: initialized ldaps://neon.sunflo.fr
> daemon_init: 2 listeners opened
> slapd init: initiated server.
> slap_sasl_init: initialized!
> slapd startup: initiated.
> slapd starting
>
> And with netstat command i see that the 636 and 389 port are effectively
> open...
>
> When i try a search in the non-secure server everything is OK !
>
> BUT when i try a search on the secure server
> ( ldap.conf : HOST : neon.sunflo.fr:636 )
>
> #> ldapsearch -x -Z -b o=societe.fr sn=Wayne
>
> the client respond it can't contact the server and i get this
> trace errors :
>
> ldap_pvt_gethostbyname_a: host=neon, r=0
> connection_get(9): got connid=0
> connection_read(9): checking for input on id=0
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
> TLS: can't accept.
> TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> s23_srvr.c:557
> connection_read(9): TLS accept error error=-1 id=0, closing
> connection_closing: readying conn=0 sd=9 for close
> connection_close: conn=0 sd=9
>
> Note : The result is the same when I contact it from a php page...
> ( php compiled with ldap3.3 and openssl )
>
> I take a quick look to the file s23_srvr.c on line 557....I'm not really
> good
> in C but it seems that he's not able to determine the version of
> TLS or SSL
> or something of that stuff...
>
> Has anybody any idea of what i should do to fix the problem ????
> Thanks a lot !