[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS connection on port 389



On Tuesday 29 January 2008 19:18:15 Carr, Chris wrote:

> > It seems that no matter what you select here, if the port is
> > 389, it does STARTTLS:
> >
> > Jan 29 17:59:16 seaknight slapd[840]: conn=0 fd=15 ACCEPT from
> > IP=127.0.0.1:53243 (IP=0.0.0.0:389)
> > Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 STARTTLS
> > Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 RESULT oid=
> > err=0 text= Jan 29 17:59:16 seaknight slapd[840]: conn=0
> > fd=15 TLS established tls_ssf=256 ssf=256
>
> This is encouraging - I guess you are not using the same version of
> slapd as I am? (I'm using 2.4.7, which apparently has a bug with
> STARTTLS, at least in Debian it does).

I don't use Debian, and on production platforms I don't use the packages 
supplied by the distro, but the rebuilds (which are available at 
http://staff.telkomsa.net/packages/) of the Mandriva package, for which I am 
the maintainer. The output in my reply was from my Mandriva 2008.0 x86_64, 
running the 2.3.38 package supplied with the distro. I will try and test the 
2.4.7 packages sometime later today.


> What log level are you choosing to get this output? Is it just "conns"?

stats (256).

> > However, if you select 636 as the port, it greys out the "Use secure
> > connection" drop-down box, and does ldaps.
>
> Yes.
>
> > Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 ACCEPT from
> > IP=127.0.0.1:54153 (IP=0.0.0.0:636)
> > Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 closed
> > (TLS negotiation
> > failure)
> > Jan 29 18:03:58 seaknight slapd[840]: conn=15 fd=27 ACCEPT from
> > IP=127.0.0.1:45074 (IP=0.0.0.0:389)
> >
> > (Can't get it to work right right now with ldaps ...).

Note that this may simply be due to me using self-signed certs ...

> Me neither, though I had assumed that was password-related.
>
> > Note however that evo caches LDAP connections, it seems you
> > need to restart it for your config changes to take effect.
>
> Ah, I didn't know that - thanks.
>
> > And, it will only prompt you for the password once the
> > connection is up ...
>
> Hmmm. If I understand the output correctly, it's rejecting the
> connection before asking for a password. I will have to investigate this
> again.
>
> > > Could somebody explain to me how to tell slapd to accept secure
> > > connections on port 389?
> >
> > start slapd with with no -h flag, or -h "ldaps:/// ldap:///";
> > so it listens on port 636 for ldaps connections, and 389 for
> > ldap connections (which could use START_TLS to upgrade).
>
> I just have -h "ldaps:///" - I presumed the ldap:/// was covered
> automatically as the default.

No, logically there should be a way to prevent the use of a port which could 
be used by some other application ...

> > > Sorry if this is a really stupid question, but according to
> > > the docs the "startTLS" process should be automatic if a
> > > secure connection comes in on port 389. Something is
> > > obviously not quite right.
> >
> > Hmm, SSL/TLS isn't really automatic ...
>
> Sorry, I meant that the connection is upgraded to SSL/TLS if the
> STARTTLS command is sent by the client (which you have verified
> Evolution does).
>
> Thanks muchly for your help. I will do some more testing with Evolution
> until I lose the will to live once again.
>
> I am now even getting errors with Outlook. It seems to connect ok, but
> whenever I do a search it says "The Properties dialog box could not be
> displayed. To display the Properties dialog box, you must select exactly
> one item." - I don't know what this is about, I get the same message
> whether my search is gibberish (should return no matches), unique
> (should return a single match) or general (should return multiple
> matches). No results are returned. It seems to be a completely incorrect
> error message.

It seems Outlook doesn't like self-signed certs, so I'll look at this later 
once I've had time to sort out certificates for these boxes.

Regards,
Buchan