[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
no TLS connections
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello everybody,
I am quite new to ldap and i am testing locally before setting up a new
server. Unencrypted connections are all right but i have no success with
TLS connections.
My box, a laptop, is a Debian Etch, the openldap version is 2.3.30 (the
packages installed are ldap-utils, libldap-2.3-0, libldap2 and slapd).
If needed, i can give more details, but basically i followed these steps:
1) a. set up a local certification authority (CA)
b. created a certificate for the ldap server, signed by my CA; I took
care that the Common Name is the server FQDN.
2) a. In /etc/default/slapd, i wrote
SLAPD_SERVICES="ldap://arwen.grenier.ambre:389/
ldaps://arwen.grenier.ambre:636/" (where arwen.grenier.ambre is my
laptop FQDN)
b. In /etc/ldap/slapd.conf, accordingly to where my files are, i wrote:
TLSCACertificateFile /etc/ldap/certificates/cacert.pem
TLSCertificateFile /etc/ldap/certificates/servercert.pem
TLSCertificateKeyFile /etc/ldap/certificates/serverkey.pem
TLSVerifyClient never
c. In /etc/ldap/ldap.conf, i wrote:
TLS_CACERT /etc/ldap/certificates/cacert.pem
TLS_REQCERT never
I have read in openldap admin guide that the TLS_REQCERT default value
is "demand" but it isn't compulsory is it ?
the request  ldapsearch -H ldap://arwen.grenier.ambre -x -D
"cn=root,dc=irem,dc=univ-lille1,dc=fr" -w secret -ZZ Â seems all right
as it returns all the directory entries but in syslog (i put Âloglevel
15Â in slapd.conf) i have the following (i added some comments to easily
spot the possible errors):
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: >>>
slap_listener(ldap://arwen.grenier.ambre:389/)
Apr 18 23:15:25 localhost slapd[6727]: daemon: listen=6, new connection
on 11
Apr 18 23:15:25 localhost slapd[6727]: daemon: added 11r (active)
listener=(nil)
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on:
Apr 18 23:15:25 localhost slapd[6727]: 11r
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11)
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for
input on id=8
### PROBLEM ???
Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed
errno=11 (Resource temporarily unavailable)
###
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: do_extended
Apr 18 23:15:25 localhost slapd[6727]: do_extended:
oid=1.3.6.1.4.1.1466.20037
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_extended: err=0 oid= len=0
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_response: msgid=1
tag=120 err=0
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on:
Apr 18 23:15:25 localhost slapd[6727]: 11r
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11)
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for
input on id=8
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on:
Apr 18 23:15:25 localhost slapd[6727]: 11r
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11)
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for
input on id=8
### PROBLEM ???
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): unable to
get TLS client DN, error=49 id=8
###
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on:
Apr 18 23:15:25 localhost slapd[6727]: 11r
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11)
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for
input on id=8
Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed
errno=11 (Resource temporarily unavailable)
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: waked
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: do_bind
Apr 18 23:15:25 localhost slapd[6727]: >>> dnPrettyNormal:
<cn=root,dc=irem,dc=univ-lille1,dc=fr>
Apr 18 23:15:25 localhost slapd[6727]: <<< dnPrettyNormal:
<cn=root,dc=irem,dc=univ-lille1,dc=fr>,
<cn=root,dc=irem,dc=univ-lille1,dc=fr>
Apr 18 23:15:25 localhost slapd[6727]: do_bind: version=3
dn="cn=root,dc=irem,dc=univ-lille1,dc=fr" method=128
Apr 18 23:15:25 localhost slapd[6727]: ==> bdb_bind: dn:
cn=root,dc=irem,dc=univ-lille1,dc=fr
Apr 18 23:15:25 localhost slapd[6727]: do_bind: v3 bind:
"cn=root,dc=irem,dc=univ-lille1,dc=fr" to
"cn=root,dc=irem,dc=univ-lille1,dc=fr"
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: conn=8 op=1 p=3
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: err=0
matched="" text=""
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_response: msgid=2
tag=97 err=0
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on:
Apr 18 23:15:25 localhost slapd[6727]: 11r
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11)
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for
input on id=8
### PROBLEM ???
Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed
errno=11 (Resource temporarily unavailable)
###
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: waked
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: do_search
Apr 18 23:15:25 localhost slapd[6727]: >>> dnPrettyNormal:
<dc=irem,dc=univ-lille1,dc=fr>
Apr 18 23:15:25 localhost slapd[6727]: <<< dnPrettyNormal:
<dc=irem,dc=univ-lille1,dc=fr>, <dc=irem,dc=univ-lille1,dc=fr>
Apr 18 23:15:25 localhost slapd[6727]: SRCH
"dc=irem,dc=univ-lille1,dc=fr" 2 0
Apr 18 23:15:25 localhost slapd[6727]: 0 0 0
Apr 18 23:15:25 localhost slapd[6727]: filter: (objectClass=*)
Apr 18 23:15:25 localhost slapd[6727]: attrs:
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: => bdb_search
Apr 18 23:15:25 localhost slapd[6727]:
bdb_dn2entry("dc=irem,dc=univ-lille1,dc=fr")
Apr 18 23:15:25 localhost slapd[6727]: search_candidates:
base="dc=irem,dc=univ-lille1,dc=fr" (0x00000056) scope=2
Apr 18 23:15:25 localhost slapd[6727]: =>
bdb_dn2idl("dc=irem,dc=univ-lille1,dc=fr")
Apr 18 23:15:25 localhost slapd[6727]: => bdb_presence_candidates
(objectClass)
Apr 18 23:15:25 localhost slapd[6727]: bdb_search_candidates: id=-1
first=1 last=171
Apr 18 23:15:25 localhost slapd[6727]: entry_decode: "dc=nodomain"
Apr 18 23:15:25 localhost slapd[6727]: <= entry_decode(dc=nodomain)
Apr 18 23:15:25 localhost slapd[6727]: => bdb_dn2id("")
Apr 18 23:15:25 localhost slapd[6727]: <= bdb_dn2id: get failed:
DB_NOTFOUND: No matching key/data pair found (-30990)
Apr 18 23:15:25 localhost slapd[6727]: entry_decode: "cn=admin,dc=nodomain"
Apr 18 23:15:25 localhost slapd[6727]: <=
entry_decode(cn=admin,dc=nodomain)
Apr 18 23:15:25 localhost slapd[6727]: => bdb_dn2id("domain")
Apr 18 23:15:25 localhost slapd[6727]: <= bdb_dn2id: get failed:
DB_NOTFOUND: No matching key/data pair found (-30990)
Apr 18 23:15:25 localhost slapd[6727]: => send_search_entry: conn 8
dn="dc=irem,dc=univ-lille1,dc=fr"
Apr 18 23:15:25 localhost slapd[6727]: <= send_search_entry: conn 8 exit.
[ ... more search results ... ]
Apr 18 23:15:25 localhost slapd[6727]: => send_search_entry: conn 8
dn="uid=arlette.lengaigne,ou=personnes,dc=irem,dc=univ-lille1,dc=fr"
Apr 18 23:15:25 localhost slapd[6727]: <= send_search_entry: conn 8 exit.
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: conn=8 op=2 p=3
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: err=0
matched="" text=""
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_response: msgid=3
tag=101 err=0
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on:
Apr 18 23:15:25 localhost slapd[6727]: 11r
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11)
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for
input on id=8
Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed
errno=0 (Success)
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): input
error=-2 id=8, closing.
Apr 18 23:15:25 localhost slapd[6727]: connection_closing: readying
conn=8 sd=11 for close
Apr 18 23:15:25 localhost slapd[6727]: connection_close: deferring
conn=8 sd=-1
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: waked
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: do_unbind
Apr 18 23:15:25 localhost slapd[6727]: connection_resched: attempting
closing conn=8 sd=11
Apr 18 23:15:25 localhost slapd[6727]: connection_close: conn=8 sd=-1
Apr 18 23:15:25 localhost slapd[6727]: daemon: removing 11
I am quite sure that my setup is not totally correct as, for instance, i
successfully connect to the directory from phpLDAPadmin web interface
without TLS, but can't connect with TLS (or ldaps).
And another question :-)
What's the story with TLS_CIPHER_SUITE in ldap.conf, and TLSCipherSuite
in slapd.conf ? Do they have to be set to some value ? When i read the
admin guide, i don't understand if there is a default value or not, and
there is nothing concerning these directives in the Faq-O-Matic TLS entry.
thanks for your help.
- --
Fabrice Eudes -o)
Clà PGP 88AC3A66 /\\
Utilisateur Linux nÂ245401 _\_V
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGJo2RC7KnmYisOmYRAlqUAJ9hyv9dwGIVLOXyN7Cvjy7MRKCyfQCg1ZSL
Gti/xrhf/V1yCuQnZOELHRI=
=qTSn
-----END PGP SIGNATURE-----