[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OPENLDAP+TLS/SSL+PAM

To: "Broussard Philippe" <philippe.broussard@e-qual.fr>
Subject: Re: OPENLDAP+TLS/SSL+PAM
From: Kent Soper <dksoper@us.ibm.com>
Date: Wed, 13 Aug 2003 11:02:52 -0500
Cc: openldap-software@OpenLDAP.org, owner-openldap-software@OpenLDAP.org






Hi Philippe,

> I have an error when i try to connect to my server LDAP :
>
> conn=2 fd=13 ACCEPT from IP=192.168.1.53:1690 (IP=0.0.0.0:636)
> TLS: can't accept.
> TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> s23_srvr.c:634
> conn=2 fd=13 closed
>
> An idea ??? I use openldap 2.1.17, pam_ldap 1.64, openssl 0.9.7b, debian
> woody 3.0

Was openldap compiled with the '--with-tls' option?

> Here 's my slapd.conf :
>
> TLSCertificateFile /opt/certificate/certificat_serveur/server.crt
> TLSCertificateKeyFile /opt/certificate/clef_serveur/server.key
> TLSCACertificateFile /opt/certificate/certificat_signe_autorite/ca.crt
> TLSVerifyClient 0

This is probably not your problem according to your error message, but I'm
not sure what a '0' value for the TLSVerifyClient directive does.  Try
using never|allow|try|demand.  Default is 'never' so you might be
defaulting to it.

> Here's my ldap.conf :
>
> quid:/opt/openssl/ssl# more /etc/ldap.conf

There's been a recent discussion about this ... unless you have
specifically told slapd to use this file as the ldap configuration file, it
is not the file slapd is using for client information.  Look at the
ldap.conf file in the same directory as slapd.conf.  My prefix is /usr, so
my ldap.conf is found at /usr/etc/openldap.

I suspect your slapd was not built with the TLS option however.

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security

Prev by Date: Still get: Conn_max_pending error
Next by Date: Documentation Bug
Index(es):
- Chronological
- Thread