[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ldapsearch TLS error

To: "openldap-software \(E-mail\)" <openldap-software@OpenLDAP.org>
Subject: RE: ldapsearch TLS error
From: "John Green" <green@blueheronbio.com>
Date: Mon, 22 Apr 2002 10:15:05 -0700
Importance: Normal
In-reply-to: <NMEFLNHODBAOPDKNNJALAEEPCLAA.hyc@highlandsun.com>

Sorry, I was not explaining myself well. I have the host and dn specified in
my /etc/ldap.conf, although not the URI. That shouldn't matter, should it?

The strange thing about the error is that the same install procedure and
files work great with the earlier version of the rpms. I saved all the
config files from a functional LDAP system on a separate partition (/data),
reloaded RH, upgraded SASL and LDAP from rpm, restored files, no luck.
Reloaded RH, upgraded SASL, restored files, works perfect.

> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of John Green
>
> > Thanks for the input, but I modified the /etc/ldap.conf file to
> > match my dn
> > before I first started ldap on the machine. When I first
> got the error, I
> > tried adjusting the TLS settings in the same file and still no
> > luck. I think
> > this is an issue with upgrading the OpenLDAP version on
> RH72 and somehow
> > breaking the dependencies with OpenSSL.
>
> I think you misunderstood my point. You need to set the
> default host, or the
> default URI, to the fully qualified domain name of your
> server. I wasn't
> talking about matching the DN, though obviously doing that
> makes things more
> convenient.
>
> Use either
> 	HOST	server.sub.domain
> or
> 	URI	ldap://server.sub.domain
>
> to set your default search host.
>
> > But, on a brighter note, I think I will just stick with the
> > version of RH's
> > OpenLDAP rpm that I know works (2.0.11), and eventually get
> around to
> > testing a more recent version.
>
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
>
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of John Green
> Sent: Thursday, April 18, 2002 2:35 PM
> To: openldap-software (E-mail)
> Subject: ldapsearch TLS error
>
>
> I'm using RH72. I'm getting the error "ldap_start_tls: connect
> error." From
> the debug output (below) it seems TLS believes my FQDN is localhost. Using
> the RH rpm's, 2.0.11 works fine, but when upgrading the rpm's to
> 2.0.21 on a
> clean install and then configuring the machine, this springs up. I've
> created a certificate, and pointed slapd.conf to it. Can anyone
> direct me to
> what other file(s) would control this? I've tried searching the
> RH website,
> OpenLDAP website, Openssl website, and Google, and I've found information,
> but I haven't found any fixes.
>
> Thanks  --  John
>
> ldapsearch -H ldap:///  -p 389 -x -b "" -s base -d 127 -LLL -ZZ
> supportedSASLMechanisms
>
> //snip// domain name changed to protect the innocent
>
> TLS trace: SSL_connect:SSLv3 read server done A
> TLS trace: SSL_connect:SSLv3 write client key exchange A
> TLS trace: SSL_connect:SSLv3 write change cipher spec A
> TLS trace: SSL_connect:SSLv3 write finished A
> tls_write: want=190, written=190
>   0000:  16 03 01 00 86 10 00 00  82 00 80 16 69 90 69 9c
> ............i.i.
>   0010:  ae d3 2c 22 81 7a d6 5b  38 cb e8 ac ac 26 c9 95
> ..,".z.[8....&..
>   0020:  33 5e 59 2e db 6d 45 ef  ab 4d 76 2f 39 f3 cb 68
> 3^Y..mE..Mv/9..h
>   0030:  c1 48 83 d7 03 3c 44 0c  99 fc 88 77 7a 43 13 57
> .H...<D....wzC.W
>   0040:  d1 70 d2 16 10 82 ee cc  eb 6f 83 4b 83 04 55 e8
> .p.......o.K..U.
>   0050:  96 10 6a c9 c4 02 6c 1d  97 7e d0 00 dc 49 19 09
> ..j...l..~...I..
>   0060:  19 0b 12 49 a1 ac 63 3d  fa ef 31 ed a0 34 fd c4
> ...I..c=..1..4..
>   0070:  23 24 d0 42 dd 00 87 5c  3a b2 7a f9 ce 15 71 af
> #$.B...\:.z...q.
>   0080:  3c 07 35 d1 73 bb 1a 11  bd c5 c9 14 03 01 00 01
> <.5.s...........
>   0090:  01 16 03 01 00 28 76 0f  16 23 e0 82 f9 dc 04 18
> .....(v..#......
>   00a0:  5a 87 d8 67 bb c9 76 33  82 98 fd 37 09 35 d7 ca
> Z..g..v3...7.5..
>   00b0:  5f a7 65 52 97 cd bb f7  9e d2 49 51 f0 90         _.eR......IQ..
> TLS trace: SSL_connect:SSLv3 flush data
> tls_read: want=5, got=5
>   0000:  14 03 01 00 01                                     .....
> tls_read: want=1, got=1
>   0000:  01                                                 .
> tls_read: want=5, got=5
>   0000:  16 03 01 00 28                                     ....(
> tls_read: want=40, got=40
>   0000:  2c fc 31 74 76 31 2f c5  c0 24 27 94 43 1e c5 49
> ,.1tv1/..$'.C..I
>   0010:  f0 d9 06 fe 5a 39 a0 2f  4a 7b 49 d0 14 fc 4a a7
> ....Z9./J{I...J.
>   0020:  5f 3d 42 83 5b f0 8e 16                            _=B.[...
> TLS trace: SSL_connect:SSLv3 read finished A
> TLS: hostname (localhost) does not match common name in certificate
> (blah.blah.com.).
> ldap_perror
> ldap_start_tls: Connect error

Follow-Ups:
- RE: ldapsearch TLS error
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- RE: ldapsearch TLS error
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: ldap_start_tls: Can't contact LDAP server
Next by Date: escaping double-quotes in dn
Index(es):
- Chronological
- Thread