[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ldapsearch TLS error
Since you are using "ldapsearch -H ldap:///"; then the search defaults to
contacting "localhost." You should change /etc/ldap.conf and specify
"blah.blah.com" if that's what you want for your default lookups. The
hostname specified by the ldap client must exactly match the hostname
in the server's certificate. You can add aliases (with wildcards) in a
cert for a server that is multi-homed or other reasons, but one of the
names must match the name that the client used.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of John Green
> Sent: Thursday, April 18, 2002 2:35 PM
> To: openldap-software (E-mail)
> Subject: ldapsearch TLS error
>
>
> I'm using RH72. I'm getting the error "ldap_start_tls: connect
> error." From
> the debug output (below) it seems TLS believes my FQDN is localhost. Using
> the RH rpm's, 2.0.11 works fine, but when upgrading the rpm's to
> 2.0.21 on a
> clean install and then configuring the machine, this springs up. I've
> created a certificate, and pointed slapd.conf to it. Can anyone
> direct me to
> what other file(s) would control this? I've tried searching the
> RH website,
> OpenLDAP website, Openssl website, and Google, and I've found information,
> but I haven't found any fixes.
>
> Thanks -- John
>
> ldapsearch -H ldap:/// -p 389 -x -b "" -s base -d 127 -LLL -ZZ
> supportedSASLMechanisms
>
> //snip// domain name changed to protect the innocent
>
> TLS trace: SSL_connect:SSLv3 read server done A
> TLS trace: SSL_connect:SSLv3 write client key exchange A
> TLS trace: SSL_connect:SSLv3 write change cipher spec A
> TLS trace: SSL_connect:SSLv3 write finished A
> tls_write: want=190, written=190
> 0000: 16 03 01 00 86 10 00 00 82 00 80 16 69 90 69 9c
> ............i.i.
> 0010: ae d3 2c 22 81 7a d6 5b 38 cb e8 ac ac 26 c9 95
> ..,".z.[8....&..
> 0020: 33 5e 59 2e db 6d 45 ef ab 4d 76 2f 39 f3 cb 68
> 3^Y..mE..Mv/9..h
> 0030: c1 48 83 d7 03 3c 44 0c 99 fc 88 77 7a 43 13 57
> .H...<D....wzC.W
> 0040: d1 70 d2 16 10 82 ee cc eb 6f 83 4b 83 04 55 e8
> .p.......o.K..U.
> 0050: 96 10 6a c9 c4 02 6c 1d 97 7e d0 00 dc 49 19 09
> ..j...l..~...I..
> 0060: 19 0b 12 49 a1 ac 63 3d fa ef 31 ed a0 34 fd c4
> ...I..c=..1..4..
> 0070: 23 24 d0 42 dd 00 87 5c 3a b2 7a f9 ce 15 71 af
> #$.B...\:.z...q.
> 0080: 3c 07 35 d1 73 bb 1a 11 bd c5 c9 14 03 01 00 01
> <.5.s...........
> 0090: 01 16 03 01 00 28 76 0f 16 23 e0 82 f9 dc 04 18
> .....(v..#......
> 00a0: 5a 87 d8 67 bb c9 76 33 82 98 fd 37 09 35 d7 ca
> Z..g..v3...7.5..
> 00b0: 5f a7 65 52 97 cd bb f7 9e d2 49 51 f0 90 _.eR......IQ..
> TLS trace: SSL_connect:SSLv3 flush data
> tls_read: want=5, got=5
> 0000: 14 03 01 00 01 .....
> tls_read: want=1, got=1
> 0000: 01 .
> tls_read: want=5, got=5
> 0000: 16 03 01 00 28 ....(
> tls_read: want=40, got=40
> 0000: 2c fc 31 74 76 31 2f c5 c0 24 27 94 43 1e c5 49
> ,.1tv1/..$'.C..I
> 0010: f0 d9 06 fe 5a 39 a0 2f 4a 7b 49 d0 14 fc 4a a7
> ....Z9./J{I...J.
> 0020: 5f 3d 42 83 5b f0 8e 16 _=B.[...
> TLS trace: SSL_connect:SSLv3 read finished A
> TLS: hostname (localhost) does not match common name in certificate
> (blah.blah.com.).
> ldap_perror
> ldap_start_tls: Connect error