[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problem connecting using TLS
Robert Fitzpatrick wrote:
[...]
[root /root]# netstat -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 192.168.1.16:636 0.0.0.0:*
LISTEN
tcp 0 0 127.0.0.1:389 0.0.0.0:*
LISTEN
[...]
[robert@columbus robert]$ ldapsearch -x -Z -b
"dc=hermes,dc=webtent,dc=org" -D
"cn=Manager,dc=hermes,dc=webtent,dc=org" -W "(ObjectClass=*)" -h
"hermes.webtent.org"
ldap_start_tls: Can't contact LDAP server
Enter LDAP Password:
ldap_bind: Can't contact LDAP server
Any ideas why I can't get connected?
1: Does it work if you try to connect on port 389 using TLS (that's what
the -Z you're using is for) with a client on the server itself?
2: Do you have the uri or host/port details in ldaprc? Because you arent
giving them on the command line (-H 'ldap://hermes.webtent.org/
ldaps://hermes.webtent.org/')
3: I don't see any subject or issuer in your s_client connect:
Certificate chain
0
s:/C=NL/ST=Zuidholland/O=Billy/OU=Billy/CN=localhost/emailAddress=hostmaster@billy.demon.nl
i:/C=NL/ST=Zuidholland/L=Nieuwveen/O=Billy/OU=Billy/CN=localhost/emailAddress=hostmaster@billy.demon.nl
1
s:/C=NL/ST=Zuidholland/L=Nieuwveen/O=Billy/OU=Billy/CN=localhost/emailAddress=hostmaster@billy.demon.nl
i:/C=NL/ST=Zuidholland/L=Nieuwveen/O=Billy/OU=Billy/CN=localhost/emailAddress=hostmaster@billy.demon.nl
etc.
4: When you make the certs, be sure that the CN of the subject (s:)
really is the FQDN of the machine in question (check on linux with
'hostname -f')
And those are just for starters ;)
5: You shouldn't need any client cert, provided you haven't told the
server to insist on one.
--Tonni
Who's had it all himeslf, in the beginning.
--
Tony Earnshaw
Once the camel's head has entered your tent,
it's very difficult to stop the rest of the
animal from following it
http://www.billy.demon.nl
Mail: tonye-at-billy.demon.nl