[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: problem with ldapsearch/TLS ( or Fedora Core 2?? )

To: "Barrow H Kwan" <bhkwan@thoughtworks.com>
Subject: RE: problem with ldapsearch/TLS ( or Fedora Core 2?? )
From: "Tay, Gary" <Gary_Tay@platts.com>
Date: Wed, 27 Oct 2004 12:15:35 +0800
Cc: "OpenLdap Software List" <openldap-software@OpenLDAP.org>, <owner-openldap-software@OpenLDAP.org>
Content-class: urn:content-classes:message
Thread-index: AcS7tGmQZa+173RSQle6MqG1bKS6jwAJSzbA
Thread-topic: problem with ldapsearch/TLS ( or Fedora Core 2?? )

I guess if u turn-on client verification "TLSVerifyClient demand" in
slapd.conf, the ldap client would need to present a cert for handshaking
with server.

Forgot to point up that the "tls_..." directives in ldap.conf should be
in UPPERACSE.
Eg:
TLS_CACERT /etc/openldap/cacert/ca.crt 

-----Original Message-----
From: Barrow H Kwan [mailto:bhkwan@thoughtworks.com] 
Sent: Wednesday, October 27, 2004 7:35 AM
To: Tay, Gary
Cc: OpenLdap Software List; owner-openldap-software@OpenLDAP.org
Subject: RE: problem with ldapsearch/TLS ( or Fedora Core 2?? )



yes.. it is on port 389 and I have figured out the problem... 

I have to add .ldaprc under the user's home directory who run ldapsearch
( ie ~/.ldaprc ) with the following two lines in the file. 

tls_cert /etc/openldap/certs/myhost.crt 
tls_key /etc/openldap/certs/myhost.key 



"Tay, Gary" <Gary_Tay@platts.com> 
10/24/2004 07:15 PM To"Barrow H Kwan" <bhkwan@thoughtworks.com>, "Jeff
Warnica <jeffw" 
cc"OpenLdap Software List" <openldap-software@OpenLDAP.org>,
<owner-openldap-software@OpenLDAP.org> 
SubjectRE: problem with ldapsearch/TLS  ( or Fedora Core 2?? )







Looking at the last statment of the debugging output. 
  
If you were to search Google using info: "error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure". 
  
You would notice that Howard has highlighted a common misunderstanding
among many have: TLS uses port 389 not 636: 
http://www.openldap.org/lists/openldap-software/200404/msg00364.html 
  
Could you pls check if there is a port 636 statement in ldap.conf (at
client or server if u do local test), that should be changed to "PORT
389" or delete this "PORT 636" statement to use the implied default
which is PORT 389. 
  
slapd should also be listening on port 389. 
  
Gary 
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Barrow H Kwan
Sent: Saturday, October 23, 2004 10:15 AM
To: Jeff Warnica <jeffw
Cc: OpenLdap Software List; owner-openldap-software@OpenLDAP.org
Subject: Re: problem with ldapsearch/TLS ( or Fedora Core 2?? )


I already had this in /etc/openldap/ldap.conf 
... 
... 
tls_cacert /etc/openldap/cacert/ca.crt 
tls_cacertdir /etc/openldap/cacert 
tls_cert /etc/openldap/certs/myhost.crt 
tls_key /etc/openldap/certs/myhost.key 
.. 

ldapsearch -d -1 got this.. 
.... 
,., 
TLS trace: SSL_connect:SSLv3 read server certificate request A 
TLS trace: SSL_connect:SSLv3 read server done A 
TLS trace: SSL_connect:SSLv3 write client certificate A 
TLS trace: SSL_connect:SSLv3 write client key exchange A 
TLS trace: SSL_connect:SSLv3 write change cipher spec A 
TLS trace: SSL_connect:SSLv3 write finished A 
tls_write: want=146, written=146 
 0000:  16 03 01 00 07 0b 00 00  03 00 00 00 16 03 01 00
................ 
 0010:  46 10 00 00 42 00 40 32  d1 67 8f 2d 2d 38 73 33
F...B.@2.g.--8s3 
 0020:  05 3b 44 d5 30 a8 74 18  54 75 7e 86 24 81 ce fb
.;D.0.t.Tu~.$... 
 0030:  00 dc 3a 39 f7 df 7e db  68 93 02 e9 0d 00 41 e6
..:9..~.h.....A. 
 0040:  23 06 8b c7 37 0b 22 82  01 d0 46 a2 1b 50 4f 03
#...7."...F..PO. 
 0050:  f8 d4 65 23 97 a1 fc 14  03 01 00 01 01 16 03 01
..e#............ 
 0060:  00 30 74 65 d3 0a 54 f2  36 72 c4 48 30 b4 0e f1
.0te..T.6r.H0... 
 0070:  60 36 0d 40 9a 4d 07 b9  60 c1 65 a8 fe d7 29 85
`6.@.M..`.e...). 
 0080:  b6 ad f3 da b4 7f ba 36  df d3 95 90 d4 00 a8 f4
.......6........ 
 0090:  95 73                                              .s 
TLS trace: SSL_connect:SSLv3 flush data 
tls_read: want=5, got=5 
 0000:  15 03 01 00 02                                     ..... 
tls_read: want=2, got=2 
 0000:  02 28                                              .( 
TLS trace: SSL3 alert read:fatal:handshake failure 
TLS trace: SSL_connect:failed in SSLv3 read finished A 
TLS: can't connect. 
ldap_perror 
ldap_start_tls: Connect error (91) 
       additional info: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure 


Barrow 


Jeff Warnica <jeffw@chebucto.ns.ca> 
Sent by: owner-openldap-software@OpenLDAP.org 
10/22/2004 07:50 PM 
ToBarrow H Kwan <bhkwan@thoughtworks.com> 
ccOpenLdap Software List <openldap-software@OpenLDAP.org> 
SubjectRe: problem with ldapsearch/TLS  ( or Fedora Core 2?? )









On Thu, 2004-21-10 at 19:16 -0700, Barrow H Kwan wrote
> 
> [root@myhost root]# ldapsearch -H ldap://myhost.domain.com -D
> uid=user1,ou=People,dc=Corporate,dc=Domain,dc=COM -x -W -ZZ 
> ldap_start_tls: Connect error (91) 
>        additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 
<snip>
> : is it a problem with ldapsearch ? 


Unlikely. Does ldapsearch know about your CA certs? Note
that /etc/ldap.conf is for pam/nss _only_, everything else uses,
ie, /erc/openldap/ldap.conf ... at least with all the RH/Fedora RPMs.

If that doesn't work, run ldapsearch with "-d -1" and see if that gives
any hits.

Follow-Ups:
- RE: problem with ldapsearch/TLS ( or Fedora Core 2?? )
  - From: Greg Matthews <gmatt@nerc.ac.uk>

Prev by Date: Re: ldapsearch error
Next by Date: RE: ldapsearch error
Index(es):
- Chronological
- Thread