[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Diagnosing client problem using SSL/TLS

To: <openldap-software@OpenLDAP.org>
Subject: RE: Diagnosing client problem using SSL/TLS
From: "Nels Lindquist" <nlindq@maei.ca>
Date: Fri, 25 Oct 2002 15:16:18 -0600
Content-description: Mail message body
In-reply-to: <009d01c27b34$01c48f50$0e01a8c0@CELLO>
Organization: Morningstar Air Express Inc.
References: <3DB6D6A5.9462.20BBB1E7@localhost>

On 24 Oct 2002 at 1:04, Howard Chu wrote:

> Rerun the search with "-d7" and look at the TLS trace messages.

I've done that, and sent it to the list as an attachment.

I'm not sure what I'm looking at, though.  From what I can tell, the 
SSL connection is set up as expected.  The key verification still 
takes place, despite the TLS_REQCERT setting.

I did a comparison with a successful ldapsearch using OpenLDAP 
2.0.23.

Certificate verification aside, everything else seems to be the same 
up until immediately after ldcap_chkResponseList returns NULL.

With 2.0.23, the next line is do_ldap_select:

do_ldap_select
read1msg: msgid 1, all 1
ber_get_next
tls_read: want=5, got=5

With 2.1.8, the next line is ldap_int_select:

ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
tls_read: want=5, got=0

Is something broken in ldap_int_select, or is do_ldap_select meant to 
be called?  What else should I be looking at?

> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Nels Lindquist
> 
> > I've been trying to upgrade my OpenLDAP installation in order to 
> > resolve some problems I've been having with SASL authentication.
> > 
> > My current difficulties seem to stem from the OpenLDAP libraries, 
> > though, so I'm posting to this list rather than Cyrus-SASL.
> > 
> > I upgraded to OpenLDAP v2.1.5 from v2.0.23, and then to v2.1.8.
> > 
> > Without making any changes to configuration files, I got the 
> > following error (with ldapsearch):
> > 
> > > ldap_bind: Can't contact LDAP server (81) additional info:
> > > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> > > verify failed 
> > 
> > Checking the man page revealed new options for dealing with 
> > certificate verification.
> > 
> > I added the line: "TLS_REQCERT    allow" to 
> > /usr/local/etc/openldap/ldap.conf, and now I receive the following 
> > error:
> > 
> > > ldap_bind: Can't contact LDAP server (81)
> > 
> > The server (Netware 6 eDirectory) is working fine; I can connect 
> > using insecure LDAP from anywhere, and using secure LDAP from a 
> > different machine which still has 2.0.23 installed.
> > 
> > How should I go about diagnosing this?

----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.

References:
- Diagnosing client problem using SSL/TLS
  - From: "Nels Lindquist" <nlindq@maei.ca>
- RE: Diagnosing client problem using SSL/TLS
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: compare uidNumber in LDAP
Next by Date: RE: compare uidNumber in LDAP
Index(es):
- Chronological
- Thread