[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: problem with ldapsearch/TLS ( or Fedora Core 2?? )

To: "OpenLdap Software List" <openldap-software@OpenLDAP.org>
Subject: RE: problem with ldapsearch/TLS ( or Fedora Core 2?? )
From: "Tay, Gary" <Gary_Tay@platts.com>
Date: Mon, 25 Oct 2004 15:14:50 +0800
Content-class: urn:content-classes:message
Thread-index: AcS4p2Mf8n+3IwKCTD2nLvaZLLUbvQBj097gAArSXtA=
Thread-topic: problem with ldapsearch/TLS ( or Fedora Core 2?? )

Sorry for the mess of HTML content, plain text content re-posted.

-----Original Message-----
From: Tay, Gary 
Sent: Monday, October 25, 2004 10:15 AM
To: 'Barrow H Kwan'; Jeff Warnica <jeffw
Cc: OpenLdap Software List; owner-openldap-software@OpenLDAP.org
Subject: RE: problem with ldapsearch/TLS ( or Fedora Core 2?? )

Looking at the last statment of the debugging output.
"error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure".

If you were to search Google using info: "error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure".

You would notice that Howard has highlighted a common misunderstanding
among many have: TLS uses port 389 not 636:
http://www.openldap.org/lists/openldap-software/200404/msg00364.html

Could you pls check if there is a port 636 statement in ldap.conf (at
client or server if u do local test), that should be changed to "PORT
389" or delete this "PORT 636" statement to use the implied default
which is PORT 389.

slapd should also be listening on port 389.

Gary
-----Original Message-----
...
TLS trace: SSL3 alert read:fatal:handshake failure 
TLS trace: SSL_connect:failed in SSLv3 read finished A 
TLS: can't connect. 
ldap_perror 
ldap_start_tls: Connect error (91) 
        additional info: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure 

Barrow 

Jeff Warnica <jeffw@chebucto.ns.ca> 
Sent by: owner-openldap-software@OpenLDAP.org 
10/22/2004 07:50 PM ToBarrow H Kwan <bhkwan@thoughtworks.com> 
ccOpenLdap Software List <openldap-software@OpenLDAP.org> 
SubjectRe: problem with ldapsearch/TLS  ( or Fedora Core 2?? )

On Thu, 2004-21-10 at 19:16 -0700, Barrow H Kwan wrote
> 
> [root@myhost root]# ldapsearch -H ldap://myhost.domain.com -D
> uid=user1,ou=People,dc=Corporate,dc=Domain,dc=COM -x -W -ZZ 
> ldap_start_tls: Connect error (91) 
>        additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 
<snip>
> : is it a problem with ldapsearch ? 

Unlikely. Does ldapsearch know about your CA certs? Note
that /etc/ldap.conf is for pam/nss _only_, everything else uses,
ie, /erc/openldap/ldap.conf ... at least with all the RH/Fedora RPMs.

If that doesn't work, run ldapsearch with "-d -1" and see if that gives
any hits.

Prev by Date: RE: TLS_CACERTDIR not working?
Next by Date: Re: OpenLDAP Replication - Trust or not to Trust?
Index(es):
- Chronological
- Thread