[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Enabling TLS problem on openldap2-2.3.39



System in SLES 9.3 running openldap 2.3.39

I tried to create the x509 hash and it still failed the same way.

I still think the TLSCA entries should allow the x509 hash to not have
to be there.  Tried commenting out both TLSCertificate entries to no
avail.  Tried commenting out the TLSCACertificate entries, but left
TLSCACertificatePath entry uncommented.  All changes still failed the
ldapsearch the same way.

What else am I missing here?  Other ideas will be welcome.

Could you also give me some information as to how to interpret the ldap
log or maybe a pointer to where I can learn more about it?

Here is what I did:

    # cd /etc/openldap
    # openssl genrsa 1024 >ldapServer.key
    # chmod 0440 ldapServer.key
    # chgrp ldap ldapServer.key
    # openssl req -new -key ldapServer.key -x509 -days 100 -out
ldapServer.crt
    # chmod 0444 server.crt
    # cd /etc/ssl/certs
    # cp /etc/openldap/ldapServer.crt ldapServer.pem
    # cat /etc/openldap/ldapServer.key >>ldapServer.pem
    # chmod 0444 ldapServer.pem
    # ln -f -s ldapServer.pem /etc/ssl/certs/`openssl x509 -hash -noout
-in /etc/ssl/certs/ldapServer.pem`.0
    # ls -l /etc/ssl/certs | grep ldapServer.pem
    lrwxrwxrwx  1 root root   14 Nov 19 17:18 1eddbbdf.0 ->
ldapServer.pem
    -rw-r--r--  1 root root 2526 Nov 19 16:57 ldapServer.pem

Here are the entries in slapd.conf (all in global section):

    TLSCertificateFile /etc/ssl/servercerts/servercert.pem
    TLSCertificateKeyFile /etc/ssl/servercerts/serverkey.pem
    TLSCACertificatePath /etc/ssl/certs/
    TLSCACertificateFile /etc/openldap/ldapServer.crt
    TLSCACertificateKeyFile /etc/openldap/ldapServer.key

It fails exactly the same way:

    # ldapsearch -x -Z -H ldap://testsvr.blv.boeing.com -b "" -s base
'objectclass=*' '+' '*'
    ldap_start_tls: Connect error (-11)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    ldap_result: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Here are the ldap log entries when loglevel is set to -1.

    Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on 1
descriptor
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on:
    Nov 19 17:19:43 testsvr slapd[7024]:
    Nov 19 17:19:43 testsvr slapd[7024]: >>> slap_listener(ldap:///)
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: listen=8, new
connection on 13
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: added 13r (active)
listener=(nil)
    Nov 19 17:19:43 testsvr slapd[7024]: conn=2 fd=13 ACCEPT from
IP=130.42.48.144:1084 (IP=0.0.0.0:389)
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=7
active_threads=0 tvp=zero
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=8
active_threads=0 tvp=zero
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on 1
descriptor
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on:
    Nov 19 17:19:43 testsvr slapd[7024]:  13r
    Nov 19 17:19:43 testsvr slapd[7024]:
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: read active on 13
    Nov 19 17:19:43 testsvr slapd[7024]: connection_get(13)
    Nov 19 17:19:43 testsvr slapd[7024]: connection_get(13): got
connid=2
    Nov 19 17:19:43 testsvr slapd[7024]: connection_read(13): checking
for input onid=2
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=7
active_threads=0 tvp=zero
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=8
active_threads=0 tvp=zero
    Nov 19 17:19:43 testsvr slapd[7024]: do_extended
    Nov 19 17:19:43 testsvr slapd[7024]: do_extended:
oid=1.3.6.1.4.1.1466.20037
    Nov 19 17:19:43 testsvr slapd[7024]: conn=2 op=0 STARTTLS
    Nov 19 17:19:43 testsvr slapd[7024]: send_ldap_extended: err=0 oid=
len=0
    Nov 19 17:19:43 testsvr slapd[7024]: send_ldap_response: msgid=1
tag=120 err=0
    Nov 19 17:19:43 testsvr slapd[7024]: conn=2 op=0 RESULT oid= err=0
text=
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on 1
descriptor
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on:
    Nov 19 17:19:43 testsvr slapd[7024]:  13r
    Nov 19 17:19:43 testsvr slapd[7024]:
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: read active on 13
    Nov 19 17:19:43 testsvr slapd[7024]: connection_get(13)
    Nov 19 17:19:43 testsvr slapd[7024]: connection_get(13): got
connid=2
    Nov 19 17:19:43 testsvr slapd[7024]: connection_read(13): checking
for input onid=2
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=7
active_threads=0 tvp=zero
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=8
active_threads=0 tvp=zero
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on 1
descriptor
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on:
    Nov 19 17:19:43 testsvr slapd[7024]:  13r
    Nov 19 17:19:43 testsvr slapd[7024]:
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: read active on 13
    Nov 19 17:19:43 testsvr slapd[7024]: connection_get(13)
    Nov 19 17:19:43 testsvr slapd[7024]: connection_get(13): got
connid=2
    Nov 19 17:19:43 testsvr slapd[7024]: connection_read(13): checking
for input onid=2
    Nov 19 17:19:43 testsvr slapd[7024]: connection_read(13): TLS accept
failure error=-1 id=2, closing
    Nov 19 17:19:43 testsvr slapd[7024]: connection_closing: readying
conn=2 sd=13 for close
    Nov 19 17:19:43 testsvr slapd[7024]: connection_close: conn=2 sd=-1
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: removing 13
    Nov 19 17:19:43 testsvr slapd[7024]: conn=2 fd=13 closed (TLS
negotiation failure)
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=7
active_threads=0 tvp=zero
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=8
active_threads=0 tvp=zero
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on 1
descriptor
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on:
    Nov 19 17:19:43 testsvr slapd[7024]:
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=7
active_threads=0 tvp=zero
    Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=8
active_threads=0 tvp=zero

----
Not all who wander are lost.

                          |     ----  ___o  |  chuck.keagle@boeing.com
Chuck Keagle              |  -------  \ <,  |  Work:  (425) 865-1488
Enterprise Servers:  HPC  |  ----- ( )/ ( ) |  Cell:  (425) 417-3434