[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_tls call failed: Can't contact LDAP server



Dear Buchan,
 
Thanks for helping me.
 
Here is what I tried and it worked.
During certificate creation, I used ip address instead of hostname.
That is why output of following command shows Ip address i.e. 192.168.4.146
$ openssl x509 -noout -subject -in /etc/openldap/CERTS/servercrt.pem
 
Everything worked properly, when I tried following command:
$ ldapsearch -x -H ldaps://192.168.4.146:636 -b "dc=my-domain, dc=com"
 
However, this is one option.
I dont know why it is failing for other option i.e.
1. ldap_init
2. set ldap options
3. start_tls
All this is done in C program.
The error says Can't contact to Ldap server.
 
Thanks,
Digambar
 

 
On 1/17/08, Buchan Milne <bgmilne@staff.telkomsa.net> wrote:
On Wednesday 16 January 2008 16:06:38 Digambar Sawant wrote:
> Problem Definition:
>
> I have following sets of files on a linux host where my server is running.
> Again, I am trying ldapsearch command on same linux machine.
>
> *Certificate files on Server machine:*
> ls -l /etc/openldap/CERTS/
> -rwxrwxrwx    1 root     root         1265 Jan 16 18:04 cacert.pem
> -rwxrwxrwx    1 root     root         3604 Jan 16 18:05 servercrt.pem
> -rwxrwxrwx    1 root     root         1664 Jan 16 18:05 serverkey.pem
>
> --------------------------------------------------------------
> *cat ldap.conf: */etc/openldap/ldap.conf**
> HOST 127.0.0.1

You can save typing by setting this, or URI, correctly.

> PORT 636

This isn't going to do much for you ^^^. You may rather want to set URI.
Please see the man page ('man ldap.conf').

> TLS_CACERTDIR /etc/openldap/CERTS/
> TLS_CACERT /etc/openldap/CERTS/cacert.pem

I would recommend you use only one of the above two options, to reduce
confusion.

> TLS_REQCERT demand
> BASE dc=example,dc=com

[...]

> TLSCACertificateFile /etc/openldap/CERTS/cacert.pem
> TLSCertificateFile /etc/openldap/CERTS/servercrt.pem
> TLSCertificateKeyFile /etc/openldap/CERTS/serverkey.pem

[...]

> database        ldbm

Bad idea ^^^.

> suffix          "dc=my-domain,dc=com"
> rootdn          "cn=Manager,dc=my-domain,dc=com"
> directory       /var/lib/ldap
> index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
> index   cn,mail,surname,givenname                       eq,subinitial

[...]

> *Started ldap server with:*
> 1. /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h ldaps:/// &
> 2. netstat shows that server is listening on port 636
> netstat -antp | grep slapd
> tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN
> 14512/slapd
>
> When I executed follwing command on same server machine (linux host):
>
> ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b
> "dc=my-domain,dc=com" -d 127

1)Under your current configuration, this requires that the server has a
certificate with the subject's CN=192.168.6.146, or that this IP is in the
subjAltName extension on the certificate. If, instead, there is a hostname as
the CN, then you should use the hostname wherever you want to specify a
connection, and ensure your name resolution takes care of connecting to the
correct IP address.

Please show the output from:

$ openssl x509 -noout -subject -in /etc/openldap/CERTS/servercrt.pem

It should match whatever you use after -h or -H ldaps://

2)You shouldn't use -Z (or -ZZ) on a port already running SSL/TLS. Instead use
an ldaps URI (-H ldaps://name.on.cert).

3)"CERTS/cacert.pem" must be removed, you can't specify and certificate
filenames via commandline options.

> It gave error logs as below:
>
> #ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b
> "dc=my-domain,dc=com" -d 127*
> *ldap_start_tls: Can't contact LDAP server*

This is the correct behaviour ...

> *TRIAL 2*
>
> *Start server with start_ssl*
>
> 1. /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 *start_ssl* &

?????

There should be no *start_ssl* in your commandline. If slapd has been
configured with SSL certificates correctly, starting it up without any
specific options will enable START_TLS.


> Here netstat shows that server is listening on 389 and not 636
> # netstat -antp | grep slapd
>
> tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN
> 14529/slapd

You can have both in fact ... but listening on 389 does not confirm the
START_TLS is configured correctly.

> When executed following command on same linux host (where server is
> running)
>
> 2. #ldapsearch -Z "CERTS/cacert.pem" -h 192.168.6.146 -p 389 -b
> "dc=my-domain,dc=com" -d 5

1)Same issue as above with certificate's subjectDN and hostname etc.
2)Same issue regarding "CERTS/cacert.pem".

> *ldap_interactive_sasl_bind_s: server supports: GSSAPI PLAIN LOGIN*
> *ldap_int_sasl_bind: GSSAPI PLAIN LOGIN*
> *ldap_perror*
> *ldap_sasl_interactive_bind_s: Local error*
> *[root@tb01-03-dp02 openldap]# ldaps*

You forgot -x.


Regards,
Buchan