[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ldapsearch TLS error



Thanks for the input, but I modified the /etc/ldap.conf file to match my dn
before I first started ldap on the machine. When I first got the error, I
tried adjusting the TLS settings in the same file and still no luck. I think
this is an issue with upgrading the OpenLDAP version on RH72 and somehow
breaking the dependencies with OpenSSL.

I got the same error on a different machine when I installed the latest PHP
tar file, and set up a web page driven by PHP with a MySQL backend.

But, on a brighter note, I think I will just stick with the version of RH's
OpenLDAP rpm that I know works (2.0.11), and eventually get around to
testing a more recent version.

Thanks --  John
>
> Since you are using "ldapsearch -H ldap:///"; then the search
> defaults to
> contacting "localhost." You should change /etc/ldap.conf and specify
> "blah.blah.com" if that's what you want for your default lookups. The
> hostname specified by the ldap client must exactly match the hostname
> in the server's certificate. You can add aliases (with wildcards) in a
> cert for a server that is multi-homed or other reasons, but one of the
> names must match the name that the client used.
>
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
>
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of John Green
> > Sent: Thursday, April 18, 2002 2:35 PM
> > To: openldap-software (E-mail)
> > Subject: ldapsearch TLS error
> >
> >
> > I'm using RH72. I'm getting the error "ldap_start_tls: connect
> > error." From
> > the debug output (below) it seems TLS believes my FQDN is
> localhost. Using
> > the RH rpm's, 2.0.11 works fine, but when upgrading the rpm's to
> > 2.0.21 on a
> > clean install and then configuring the machine, this
> springs up. I've
> > created a certificate, and pointed slapd.conf to it. Can anyone
> > direct me to
> > what other file(s) would control this? I've tried searching the
> > RH website,
> > OpenLDAP website, Openssl website, and Google, and I've
> found information,
> > but I haven't found any fixes.
> >
> > Thanks  --  John
> >
> > ldapsearch -H ldap:///  -p 389 -x -b "" -s base -d 127 -LLL -ZZ
> > supportedSASLMechanisms
> >
> > //snip// domain name changed to protect the innocent
> >
> > TLS trace: SSL_connect:SSLv3 read server done A
> > TLS trace: SSL_connect:SSLv3 write client key exchange A
> > TLS trace: SSL_connect:SSLv3 write change cipher spec A
> > TLS trace: SSL_connect:SSLv3 write finished A
> > tls_write: want=190, written=190
> >   0000:  16 03 01 00 86 10 00 00  82 00 80 16 69 90 69 9c
> > ............i.i.
> >   0010:  ae d3 2c 22 81 7a d6 5b  38 cb e8 ac ac 26 c9 95
> > ..,".z.[8....&..
> >   0020:  33 5e 59 2e db 6d 45 ef  ab 4d 76 2f 39 f3 cb 68
> > 3^Y..mE..Mv/9..h
> >   0030:  c1 48 83 d7 03 3c 44 0c  99 fc 88 77 7a 43 13 57
> > .H...<D....wzC.W
> >   0040:  d1 70 d2 16 10 82 ee cc  eb 6f 83 4b 83 04 55 e8
> > .p.......o.K..U.
> >   0050:  96 10 6a c9 c4 02 6c 1d  97 7e d0 00 dc 49 19 09
> > ..j...l..~...I..
> >   0060:  19 0b 12 49 a1 ac 63 3d  fa ef 31 ed a0 34 fd c4
> > ...I..c=..1..4..
> >   0070:  23 24 d0 42 dd 00 87 5c  3a b2 7a f9 ce 15 71 af
> > #$.B...\:.z...q.
> >   0080:  3c 07 35 d1 73 bb 1a 11  bd c5 c9 14 03 01 00 01
> > <.5.s...........
> >   0090:  01 16 03 01 00 28 76 0f  16 23 e0 82 f9 dc 04 18
> > .....(v..#......
> >   00a0:  5a 87 d8 67 bb c9 76 33  82 98 fd 37 09 35 d7 ca
> > Z..g..v3...7.5..
> >   00b0:  5f a7 65 52 97 cd bb f7  9e d2 49 51 f0 90
> _.eR......IQ..
> > TLS trace: SSL_connect:SSLv3 flush data
> > tls_read: want=5, got=5
> >   0000:  14 03 01 00 01                                     .....
> > tls_read: want=1, got=1
> >   0000:  01                                                 .
> > tls_read: want=5, got=5
> >   0000:  16 03 01 00 28                                     ....(
> > tls_read: want=40, got=40
> >   0000:  2c fc 31 74 76 31 2f c5  c0 24 27 94 43 1e c5 49
> > ,.1tv1/..$'.C..I
> >   0010:  f0 d9 06 fe 5a 39 a0 2f  4a 7b 49 d0 14 fc 4a a7
> > ....Z9./J{I...J.
> >   0020:  5f 3d 42 83 5b f0 8e 16                            _=B.[...
> > TLS trace: SSL_connect:SSLv3 read finished A
> > TLS: hostname (localhost) does not match common name in certificate
> > (blah.blah.com.).
> > ldap_perror
> > ldap_start_tls: Connect error
>