[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL External Mechanism

To: Tony Earnshaw <tonye@billy.demon.nl>
Subject: Re: SASL External Mechanism
From: ms419@freezone.co.uk
Date: Thu, 1 Jan 2004 20:11:12 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <1072955348.18063.11.camel@localhost>
References: <F8593836-3862-11D8-9CB1-000A95C71776@freezone.co.uk> <m3k74fh9qn.fsf@marin.l4b.de> <6.0.0.22.0.20031229085212.027a8b38@127.0.0.1> <FE28BBBB-3BB7-11D8-8D23-000A95C71776@freezone.co.uk> <1072955348.18063.11.camel@localhost>

Thank you very much for your help, Tony. I feel quite sheepish. In all my rereading, I missed, "This is a user-only directive and can only be specified in a user's .ldaprc file." After moving "TLS_CERT" and "TLS_KEY" from "ldap.conf" to ".ldaprc", this error disappeared. Unfortunately, the server is still unable to verify the client.

As before, "slapd.conf" contains:

TLSCACertificateFile    /etc/ldap/cacert.pem
TLSVerifyClient demand

".ldaprc" contains:

TLS_CERT        /etc/ldap/cert.pem
TLS_KEY /etc/ldap/key.pem

"ldapsearch -d 7 -x -H "ldaps://wum.lat" -s base -b "" supportedSASLMechanisms" produces:

ldap_create ldap_url_parse_ext(ldaps://wum.lat) ldap_bind_s ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP wum.lat:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.179.73:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_int_sasl_open: host=wum.lat tls_write: want=81, written=81 0000: 16 03 01 00 4c 01 00 00 48 03 01 3f f4 d2 ed da ....L...H..?.... 0010: 08 7c 1c 08 d4 e7 a9 89 70 78 66 24 94 4a f6 63 .|......pxf$.J.c 0020: 09 c2 5f 44 e0 7c ea 34 a0 8f 16 00 00 18 00 33 .._D.|.4.......3 0030: 00 16 00 39 00 2f 00 0a 00 35 00 05 00 04 00 32 ...9./...5.....2 0040: 00 13 00 38 00 66 02 01 00 00 06 00 00 00 02 00 ...8.f.......... 0050: 00 . tls_read: want=5, got=5 0000: 16 03 01 00 4a ....J tls_read: want=74, got=74 0000: 02 00 00 46 03 01 3f f4 d2 ed 66 4e f6 fe 21 05 ...F..?...fN..!. 0010: b4 a7 6c 86 09 11 5c 22 2f f7 58 9f 39 16 ed 21 ..l...\"/.X.9..! 0020: 34 83 90 fa 91 e0 20 9e 84 5a 29 4b 5f f4 54 c6 4..... ..Z)K_.T. 0030: 92 af 33 14 a8 d8 63 ab bb ff 4a ea f3 8a eb c0 ..3...c...J..... 0040: f1 84 36 ed 54 90 7b 00 33 01 ..6.T.{.3. tls_read: want=5, got=5 0000: 16 03 01 02 46 ....F tls_read: want=582, got=582 [...] tls_read: want=5, got=5 0000: 16 03 01 01 8d ..... tls_read: want=397, got=397 [...] tls_read: want=5, got=5 0000: 16 03 01 00 04 ..... tls_read: want=4, got=4 0000: 0e 00 00 00 .... tls_write: want=139, written=139 0000: 16 03 01 00 86 10 00 00 82 00 80 a6 63 a8 c0 c9 ............c... 0010: 9a b7 f2 d3 fe ea f9 bc 9d 8f 9b 0d c2 de 30 a4 ..............0. 0020: b0 d2 95 b6 17 32 19 5f ec fc 86 83 d7 a2 a9 e3 .....2._........ 0030: 2b 77 34 38 6e 6d 8f 2a 6b e4 61 7a af a7 a1 7e +w48nm.*k.az...~ 0040: a1 c3 b2 dc 81 d0 b7 11 db 31 18 d9 02 b2 0d 19 .........1...... 0050: 6f 15 f4 a3 40 0e 38 94 44 d3 64 76 f2 d0 7f 37 o...@.8.D.dv...7 0060: 5e 4b 15 3f 1b 76 d0 fb de c3 80 f4 e1 a2 72 ff ^K.?.v........r. 0070: bc 6b a7 89 78 5c bd 64 c5 fd 16 e9 14 70 1b 4b .k..x\.d.....p.K 0080: 7f 2e 1b 82 a1 a4 fd 54 cf ae f2 .......T... tls_write: want=6, written=6 0000: 14 03 01 00 01 01 ...... tls_write: want=277, written=277 [...] tls_read: want=5, got=5 0000: 14 03 01 00 01 ..... tls_read: want=1, got=1 0000: 01 . tls_read: want=5, got=5 0000: 16 03 01 00 b0 ..... tls_read: want=176, got=176 0000: 3b 42 7a 43 b9 2b b1 3f 8c 1e b3 12 63 fb e8 85 ;BzC.+.?....c... 0010: c2 25 3b 33 52 5a 95 fa 7b bb 7c a2 f9 26 e4 27 .%;3RZ..{.|..&.' 0020: 92 82 30 ac bc af 59 a1 65 f8 f5 2e 95 af d9 34 ..0...Y.e......4 0030: cc 6c 79 a9 fb 87 d8 f7 6a b8 6c 36 cf 36 d1 0d .ly.....j.l6.6.. 0040: 45 4e 20 aa 37 43 40 ad 65 1e 39 33 f7 68 f3 83 EN .7C@.e.93.h.. 0050: a1 8b c8 7b fc b0 a7 80 e2 0b 95 28 a4 ab 38 a9 ...{.......(..8. 0060: 9b 06 d0 62 b7 1c 72 88 f4 43 53 ea b1 1a 94 fb ...b..r..CS..... 0070: d8 04 93 f2 a8 a7 20 44 26 f9 d1 74 15 e3 21 2b ...... D&..t..!+ 0080: d4 20 07 51 41 bd 72 c1 43 71 1f 54 0f a5 4f 42 . .QA.r.Cq.T..OB 0090: 14 37 d5 f6 97 6c 7a 83 01 00 5b 20 1b cc 38 ae .7...lz...[ ..8. 00a0: c7 89 cb e3 a5 2e 31 1c 12 61 97 4f 34 a4 7a 8d ......1..a.O4.z. TLS certificate verification: depth: 0, err: 0, subject: C=, ST=, L=, O=dar, OU=, CN=wum.lat/Email=, issuer: C=, ST=, L=, O=dar, OU=, CN=/Email= ldap_open_defconn: successful ldap_send_server_request ber_flush: 14 bytes to sd 3 0000: 30 0c 02 01 01 60 07 02 01 03 04 00 80 00 0....`........ tls_write: want=149, written=149 0000: 17 03 01 00 90 76 eb 42 01 6f 73 14 48 d1 78 38 .....v.B.os.H.x8 0010: 1e 9c 46 01 da 80 4a ce 88 fe a8 82 61 d1 ea b4 ..F...J.....a... 0020: 6f b3 e4 63 22 5e 05 e5 85 f1 fe 05 b5 99 58 b6 o..c"^........X. 0030: 79 0d 1f 0c 1b f7 61 95 6f ec d0 10 24 47 47 a5 y.....a.o...$GG. 0040: 23 9e e0 a9 64 2f af d5 aa c7 d8 c1 92 0d 42 36 #...d/........B6 0050: 92 79 10 fb 97 90 e8 35 cb e2 12 a4 9f b2 a1 79 .y.....5.......y 0060: da de 60 93 28 39 68 36 02 e2 73 ac a0 f0 37 30 ..`.(9h6..s...70 0070: 40 ea a9 15 38 a2 09 90 3b f7 4d d8 62 e9 01 6a @...8...;.M.b..j 0080: db 15 9e 1a e6 64 ee 81 29 fa b8 c7 aa de 39 04 .....d..).....9. 0090: 56 b4 70 ed 82 V.p.. ldap_write: want=14, written=14 0000: 30 0c 02 01 01 60 07 02 01 03 04 00 80 00 0....`........ ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (infinite timeout), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: wum.lat port: 636 (default) refcnt: 2 status: Connected last used: Thu Jan 1 18:09:51 2004

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
tls_read: want=5, got=0

ldap_read: want=8 error=Success
ldap_perror
ldap_bind: Can't contact LDAP server (81)

"slapd -d 7 -h "ldap:// ldaps:///"" produces:

@(#) $OpenLDAP: slapd 2.1.23 (Oct 18 2003 20:04:15) $ @euklid:/home/roland/debian/openldap/build/2.1.23-1/openldap2-2.1.23/ debian/build/servers/slapd daemon_init: ldap:// ldaps:/// daemon_init: listen on ldap:// daemon_init: listen on ldaps:/// daemon_init: 2 listeners to open... ldap_url_parse_ext(ldap://) slap_open_listener: socket() failed for AF_INET6 errno=97 (Address family not supported by protocol) daemon: initialized ldap:// ldap_url_parse_ext(ldaps:///) slap_open_listener: socket() failed for AF_INET6 errno=97 (Address family not supported by protocol) daemon: initialized ldaps:/// daemon_init: 4 listeners opened ldap_pvt_gethostbyname_a: host=wum, r=0 slapd init: initiated server. slap_sasl_init: initialized! >>> dnNormalize: <cn=Subschema> => ldap_bv2dn(cn=Subschema,0) <= ldap_bv2dn(cn=Subschema,0)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=subschema,272)=0 <<< dnNormalize: <cn=subschema> bdb_initialize: initialize BDB backend bdb_initialize: Sleepycat Software: Berkeley DB 4.1.25: (December 19, 2002) bdb_db_init: Initializing BDB database >>> dnPrettyNormal: <dc=lat> => ldap_bv2dn(dc=lat,0) <= ldap_bv2dn(dc=lat,0)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=lat,272)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=lat,272)=0 <<< dnPrettyNormal: <dc=lat>, <dc=lat> >>> dnNormalize: <> <<< dnNormalize: <> ldap_url_parse_ext(ldap://sil-fis.lat) matching_rule_use_init 1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( oncRpcNumber $ ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $ shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) ) 1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( oncRpcNumber $ ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $ shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) ) 1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( nisMapEntry $ bootFile $ macAddress $ ipNetmaskNumber $ ipNetworkNumber $ ipHostNumber $ memberNisNetgroup $ memberUid $ loginShell $ homeDirectory $ gecos $ janetMailbox $ cNAMERecord $ sOARecord $ nSRecord $ mXRecord $ mDRecord $ aRecord $ email $ associatedDomain $ dc $ mail $ altServer ) ) 1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( nisMapEntry $ bootFile $ macAddress $ ipNetmaskNumber $ ipNetworkNumber $ ipHostNumber $ memberNisNetgroup $ memberUid $ loginShell $ homeDirectory $ gecos $ janetMailbox $ cNAMERecord $ sOARecord $ nSRecord $ mXRecord $ mDRecord $ aRecord $ email $ associatedDomain $ dc $ mail $ altServer ) ) 2.5.13.34 (certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES ( cACertificate $ userCertificate ) ) 2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedApplicationContext $ ldapSyntaxes $ matchingRuleUse $ objectClasses $ attributeTypes $ matchingRules $ supportedFeatures $ supportedExtension $ supportedControl $ structuralObjectClass $ objectClass ) ) 2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( oncRpcNumber $ ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $ shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) ) 2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( modifyTimestamp $ createTimestamp ) ) 2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation ) 2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember ) 2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress ) 2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME 'telephoneNumberMatch' APPLIES ( pager $ mobile $ homePhone $ telephoneNumber ) ) 2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES userPassword ) 2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME 'bitStringMatch' APPLIES x500UniqueIdentifier ) 2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( oncRpcNumber $ ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $ shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) ) 2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES hasSubordinates ) 2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( homePostalAddress $ registeredAddress $ postalAddress ) ) 2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME 'numericStringMatch' APPLIES ( internationaliSDNNumber $ x121Address ) ) 2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( dnQualifier $ destinationIndicator $ serialNumber ) ) 2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( dnQualifier $ destinationIndicator $ serialNumber ) ) 2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( preferredLanguage $ employeeType $ employeeNumber $ displayName $ departmentNumber $ carLicense $ nisMapName $ ipServiceProtocol $ documentPublisher $ buildingName $ organizationalStatus $ uniqueIdentifier $ co $ personalTitle $ documentLocation $ documentVersion $ documentTitle $ documentIdentifier $ host $ userClass $ roomNumber $ drink $ info $ textEncodedORAddress $ uid $ labeledURI $ dmdName $ houseIdentifier $ dnQualifier $ generationQualifier $ initials $ givenName $ destinationIndicator $ physicalDeliveryOfficeName $ postOfficeBox $ postalCode $ businessCategory $ description $ title $ ou $ o $ street $ st $ l $ c $ serialNumber $ sn $ knowledgeInformation $ cn $ name $ ref $ vendorVersion $ vendorName $ supportedSASLMechanisms ) ) 2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( dnQualifier $ destinationIndicator $ serialNumber ) ) 2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( preferredLanguage $ employeeType $ employeeNumber $ displayName $ departmentNumber $ carLicense $ nisMapName $ ipServiceProtocol $ documentPublisher $ buildingName $ organizationalStatus $ uniqueIdentifier $ co $ personalTitle $ documentLocation $ documentVersion $ documentTitle $ documentIdentifier $ host $ userClass $ roomNumber $ drink $ info $ textEncodedORAddress $ uid $ labeledURI $ dmdName $ houseIdentifier $ dnQualifier $ generationQualifier $ initials $ givenName $ destinationIndicator $ physicalDeliveryOfficeName $ postOfficeBox $ postalCode $ businessCategory $ description $ title $ ou $ o $ street $ st $ l $ c $ serialNumber $ sn $ knowledgeInformation $ cn $ name $ ref $ vendorVersion $ vendorName $ supportedSASLMechanisms ) ) 2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( dITRedirect $ associatedName $ secretary $ documentAuthor $ manager $ seeAlso $ roleOccupant $ owner $ member $ distinguishedName $ aliasedObjectName $ namingContexts $ subschemaSubentry $ modifiersName $ creatorsName ) ) 2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedApplicationContext $ supportedFeatures $ supportedExtension $ supportedControl $ structuralObjectClass $ objectClass ) ) slapd startup: initiated. bdb_db_open: dc=lat bdb_db_open: dbenv_open(/var/lib/ldap) slapd starting ldap_pvt_gethostbyname_a: host=wum, r=0 put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ber_scanf fmt (m) ber: connection_get(13) connection_get(13): got connid=0 connection_read(13): checking for input on id=0 tls_read: want=5, got=5 0000: 16 03 01 00 4c ....L tls_read: want=76, got=76 0000: 01 00 00 48 03 01 3f f4 d2 ed da 08 7c 1c 08 d4 ...H..?.....|... 0010: e7 a9 89 70 78 66 24 94 4a f6 63 09 c2 5f 44 e0 ...pxf$.J.c.._D. 0020: 7c ea 34 a0 8f 16 00 00 18 00 33 00 16 00 39 00 |.4.......3...9. 0030: 2f 00 0a 00 35 00 05 00 04 00 32 00 13 00 38 00 /...5.....2...8. 0040: 66 02 01 00 00 06 00 00 00 02 00 00 f........... tls_write: want=79, written=79 0000: 16 03 01 00 4a 02 00 00 46 03 01 3f f4 d2 ed 66 ....J...F..?...f 0010: 4e f6 fe 21 05 b4 a7 6c 86 09 11 5c 22 2f f7 58 N..!...l...\"/.X 0020: 9f 39 16 ed 21 34 83 90 fa 91 e0 20 9e 84 5a 29 .9..!4..... ..Z) 0030: 4b 5f f4 54 c6 92 af 33 14 a8 d8 63 ab bb ff 4a K_.T...3...c...J 0040: ea f3 8a eb c0 f1 84 36 ed 54 90 7b 00 33 01 .......6.T.{.3. tls_write: want=587, written=587 [...] tls_write: want=402, written=402 [...] tls_write: want=9, written=9 0000: 16 03 01 00 04 0e 00 00 00 ......... tls_read: want=5 error=Resource temporarily unavailable connection_get(13) connection_get(13): got connid=0 connection_read(13): checking for input on id=0 tls_read: want=5, got=5 0000: 16 03 01 00 86 ..... tls_read: want=134, got=134 0000: 10 00 00 82 00 80 a6 63 a8 c0 c9 9a b7 f2 d3 fe .......c........ 0010: ea f9 bc 9d 8f 9b 0d c2 de 30 a4 b0 d2 95 b6 17 .........0...... 0020: 32 19 5f ec fc 86 83 d7 a2 a9 e3 2b 77 34 38 6e 2._........+w48n 0030: 6d 8f 2a 6b e4 61 7a af a7 a1 7e a1 c3 b2 dc 81 m.*k.az...~..... 0040: d0 b7 11 db 31 18 d9 02 b2 0d 19 6f 15 f4 a3 40 ....1......o...@ 0050: 0e 38 94 44 d3 64 76 f2 d0 7f 37 5e 4b 15 3f 1b .8.D.dv...7^K.?. 0060: 76 d0 fb de c3 80 f4 e1 a2 72 ff bc 6b a7 89 78 v........r..k..x 0070: 5c bd 64 c5 fd 16 e9 14 70 1b 4b 7f 2e 1b 82 a1 \.d.....p.K..... 0080: a4 fd 54 cf ae f2 ..T... tls_read: want=5, got=5 0000: 14 03 01 00 01 ..... tls_read: want=1, got=1 0000: 01 . tls_read: want=5, got=5 0000: 16 03 01 01 10 ..... tls_read: want=272, got=272 [...] tls_write: want=6, written=6 0000: 14 03 01 00 01 01 ...... tls_write: want=181, written=181 0000: 16 03 01 00 b0 3b 42 7a 43 b9 2b b1 3f 8c 1e b3 .....;BzC.+.?... 0010: 12 63 fb e8 85 c2 25 3b 33 52 5a 95 fa 7b bb 7c .c....%;3RZ..{.| 0020: a2 f9 26 e4 27 92 82 30 ac bc af 59 a1 65 f8 f5 ..&.'..0...Y.e.. 0030: 2e 95 af d9 34 cc 6c 79 a9 fb 87 d8 f7 6a b8 6c ....4.ly.....j.l 0040: 36 cf 36 d1 0d 45 4e 20 aa 37 43 40 ad 65 1e 39 6.6..EN .7C@.e.9 0050: 33 f7 68 f3 83 a1 8b c8 7b fc b0 a7 80 e2 0b 95 3.h.....{....... 0060: 28 a4 ab 38 a9 9b 06 d0 62 b7 1c 72 88 f4 43 53 (..8....b..r..CS 0070: ea b1 1a 94 fb d8 04 93 f2 a8 a7 20 44 26 f9 d1 ........... D&.. 0080: 74 15 e3 21 2b d4 20 07 51 41 bd 72 c1 43 71 1f t..!+. .QA.r.Cq. 0090: 54 0f a5 4f 42 14 37 d5 f6 97 6c 7a 83 01 00 5b T..OB.7...lz...[ 00a0: 20 1b cc 38 ae c7 89 cb e3 a5 2e 31 1c 12 61 97 ..8.......1..a. 00b0: 4f 34 a4 7a 8d O4.z. TLS certificate verification: depth: 0, err: -49, subject: -unknown-, issuer: -unknown- TLS certificate verification: Error, Unknown error TLS: can't accept. TLS: Error in the certificate. (null):0 connection_read(13): TLS accept error error=-1 id=0, closing connection_closing: readying conn=0 sd=13 for close connection_close: conn=0 sd=13

I've confirmed that "/etc/ldap/cert.pem" and "/etc/ldap/key.pem" are readable by the user, and that "/etc/ldap/cacert.pem" is world readable.

Interestingly, I encounter exactly the same error if I omit "TLSCACertificateFile" altogether, or if I remove "/etc/ldap/cacert.pem".

Additionally, the ca certificate used by the client is also "/etc/ldap/cacert.pem", and the certificate and key used by the server are likewise "/etc/ldap/cacert.pem". Why then, can the client verify the server, yet the server can't verify the client?

Thanks again for all your help,

Jack

On Jan 1, 2004, at 3:09 AM, Tony Earnshaw wrote:

ons, 31.12.2003 kl. 18.37 skrev ms419@freezone.co.uk:

Hint:

TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
not return a certificate s3_srvr.c:1976
connection_read(15): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=15 for close
connection_close: conn=0 sd=15


Note: TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate

--Tonni

--
mail: billy - at - billy.demon.nl
http://www.billy.demon.nl

Follow-Ups:
- Re: SASL External Mechanism
  - From: Tony Earnshaw <tonye@billy.demon.nl>

References:
- Re: SASL External Mechanism
  - From: Tony Earnshaw <tonye@billy.demon.nl>

Prev by Date: Re: bdb_index_read: failed (-30990)
Next by Date: 2.1.23 w/ StartTLS not authenticating Courier-IMAP
Index(es):
- Chronological
- Thread