[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: how to get TLS working
I'll check out that document. In the mean time, here's
the info on what I'm doing:
I have my own LDAP client tool, which I wrote using
the OpenLDAP library and based off of ldapsearch. I've
been using the tool for a long time, particularly with
SASL/GSSAPI support, but recently needed to get TLS
working too.
I have an LDAP server which my IT admin claims
supports TLS. In the ldap.conf file of the server, I
see these lines:
BASE dc=mega, dc=com
URI ldap://doc.mega.com
ldaps://doc.mega.com:636/
TLS_REQCERT allow
TLS_CACERT /etc/ssl/openldap/newcert.pem
ssl start_tls
When I use my client to ldap_init to the server on
port 636, the server closes the TCP connection
immediately. When I try on port 389 and call
ldap_start_tls_s() (after calling ldap_init), I see on
the network that my client sends some type of LDAP
extended request to the server. The server then
responds with several packets of data. That's when I
get the error I mentioned in my last posting.
I also tried copying the newcert.pem file from my LDAP
server onto my client, and pointing my client to it by
performing a ldap_set_option(NULL,
LDAP_OPT_X_TLS_CACERTFILE,
"/etc/ssl/openldap/newcert.pem");
but that didn't change anything.
I'm new to SSL and TLS. I'll try to read up on it now,
but if anyone has any ideas, I'd appreciate the help.
I'm trying to get this to work on a deadline.
Thanks!
Dave
--- Kent Soper <dksoper@us.ibm.com> wrote:
>
>
>
>
> Dave,
>
> I don't have all of your facts, so you could have
> run into one of many
> problems. What are your slapd.conf and ldap.conf
> (or ldaprc) entries? Are
> you connected to an SSL LDAP port (ldaps://) and
> trying to call
> ldap_start_tls_s()? I believe that results in a
> "broken pipe" error so you
> probably don't have that problem.
>
> You can look at
>
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
> and double check your configuration steps.
>
> Cheers,
> Kent
>
> "You don't stop playing because you grow old ...
> you grow old because you stop playing."
>
> Linux Technology Center, Linux Security
> tie line: 678-9216
> external: 1-512-838-9216
> e-mail: dksoper@us.ibm.com
>
>
>
>
>
>
>
> Dave Snoopy
>
>
> <kingsnoopy7@yahoo.com>
> To: openldap
> <openldap-software@OpenLDAP.org>
>
> Sent by:
> cc:
>
> owner-openldap-software@O
> Subject: how to get TLS working
>
> penLDAP.org
>
>
>
>
>
>
>
>
> 06/19/2003 12:52 PM
>
>
>
>
>
>
>
>
>
>
>
>
> According to my IT manager, our OpenLDAP server
> supports TLS. I'm trying to get my LDAP client to
> work
> with it. I call the function ldap_start_tls_s, and
> it
> fails with error LDAP_CONNECT_ERROR (0x5b).
>
> I traced the problem down to tls_info_cb in tls.c.
> It
> gets a callback from SSL_connect in the SSL_CB_EXIT
> state, with a "ret" of -1. The SSL error at that
> point
> is:
>
> TLS trace: SSL_connect:error in SSLv3 read server
> certificate B
> TLS trace: SSL_connect:error in SSLv3 read server
> certificate B
>
> Any idea what this means? Am I missing some type of
> setup, or intermediary step?
>
> Thanks,
> Dave
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
>
>
>
__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com