[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS problems

Edward,

The answer to this question is in the list archives if you do a simple search. The problem lies within your ldap.conf file, where you also need to have your TLS bits set.

--Quanah

--On Wednesday, August 07, 2002 2:59 PM -0500 Edward Konetzko <konetzed@linuxworkz.com> wrote:

I am having a hard time gettin TLS to work with ldap. I have generated my
own slapd.pem file, and been able to recive the cert information using
"openssl s_client -connect localhost:636 -showcerts -tls1".  I have
compiled  openldap-2.0.25 with --with-tls and with out it at configure
time, also I  have tried Redhats openldap-servers-2.0.23-4 rpm. I am
starting slapd  the following way. "slapd -u ldap -h 'ldap:/// ldaps:///'
-d 5 -f  /etc/openldap/slapd.conf".  Does anyone have a clue whats going
on here?


My slapd.conf file is almost as follows.
##################################################################
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema


pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem

database        ldbm
suffix          "dc=myldap,dc=edu"
rootdn          "cn=Manager,dc=myldap,dc=edu"
rootpw          secret
directory       /var/lib/ldap
index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial
#################################################################

start up debuging information
#################################################################
daemon_init: ldap:/// ldaps:///
daemon_init: listen on ldap:///
daemon_init: listen on ldaps:///
daemon_init: 2 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: socket() failed errno=97 (Address family not supported by
protocol)
daemon: initialized ldap:///
ldap_url_parse_ext(ldaps:///)
daemon: socket() failed errno=97 (Address family not supported by
protocol)
daemon: initialized ldaps:///
daemon_init: 2 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
slapd startup: initiated.
slapd starting
##################################################################


When I try to connect to port 389 with "openssl s_client -connect
localhost:389 -showcerts -tls1".
I get the following output from openssl when trying to connect to 389
##################################################################
CONNECTED(00000003)
13717:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:490:
##################################################################

and this output from slapd at debug level 5.
##################################################################
connection_get(10)
connection_get(10): got connid=9
connection_read(10): checking for input on id=9
ber_get_next
ber_get_next: tag 0x16 len 3 contents:
ber_get_next on fd 10 failed errno=0 (Success)
connection_read(10): input error=-2 id=9, closing.
connection_closing: readying conn=9 sd=10 for close
connection_close: conn=9 sd=10
##################################################################

I also tried to get a connection with "GQ" using tls on both ports 389
and  636. This is the error I get from slapd at debug level 5 when trying
to  connect to port 389.
##################################################################
connection_get(10)
connection_get(10): got connid=2
connection_read(10): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
do_extended
ber_scanf fmt ({a) ber:
do_extended: oid=1.3.6.1.4.1.1466.20037
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 10
connection_get(10)
connection_get(10): got connid=2
connection_read(10): checking for input on id=2
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(10)
connection_get(10): got connid=2
connection_read(10): checking for input on id=2
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_get(10)
connection_get(10): got connid=2
connection_read(10): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
do_unbind
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
connection_closing: readying conn=2 sd=10 for close
connection_resched: reaquiring locks conn=2 sd=10
connection_resched: attempting closing conn=2 sd=10
connection_close: conn=2 sd=10
TLS trace: SSL3 alert write:warning:close notify
slap_sig_shutdown: signal 2
slap_sig_shutdown: signal 2
daemon: shutdown requested and initiated.
slapd shutdown: waiting for 0 threads to terminate
slap_sig_shutdown: signal 2
slapd shutdown: initiated
ldbm backend syncing
ldbm flushing db (dn2id.dbb)
ldbm closing db (dn2id.dbb)
ldbm backend done syncing
====> cache_release_all
slapd shutdown: freeing system resources.
slapd stopped.
################################################################






--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University