[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Can't get TLS working.
- To: openldap-technical@openldap.org
- Subject: Can't get TLS working.
- From: c0re <nr1c0re@gmail.com>
- Date: Wed, 15 Sep 2010 00:43:29 +0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=lwxA6gqhQr1e/OezpzMBGdW+bY0hyKXFNb+eSy9cM3Y=; b=pAr5O1nNgerNX85tIbi5GzDBw5VF/kt0DNdJQ7N5CWBEpvOueTaRD7499B/ualJPt5 wLUOOPNEYs+DTnamW2MNdU+GKGi7Uqd3w7Dpn2iES7S7P+ufuG0iO/9FrO/SPAI1RLB+ OBgSu4OTdNJLbDu/5g6MiKyvbxzupgPKsk7pE=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=hbey7SGa0KVLEB/TR1Md7LPnRuhLg185rEIQhohu2T8Y1+/7qQVUpytcJ8bqCN+xIf kYeluS8JMXQiszgpyDHucsLKii+l15kNWAlfhQq3JxMhUdHL0a/P5Q0kl3iWFkaYrMox bwxEmt6WQiDYM6GfpXLtRd0A0UGbcPu3mOfx0=
Hello everyone!
Wrote to openldap-software, but got
"Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the
recipient domain. We recommend contacting the other email provider for
further information about the cause of this error. The error that the
other server returned was: 550 550 5.1.1
<openldap-software@openldap.org>... User unknown (state 14)."
So I'm here.
I'm trying to make openldap+TLS on freebsd 7.3.
I configured openldap, nss_ldap, ldap.conf, nsswitch.conf, can
ldapsearch it, can make "id user" and etc.
So when I do "id test" I get
uid=5555(test) gid=5555 groups=5555
All ok.
And now I want to add TLS to it.
So I add to slapd.conf
TLSCertificateFile /usr/local/etc/openldap/ssl/ldap.server.ru.crt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/ldap.server.ru.key.pem
TLSCACertificateFile /usr/local/etc/openldap/ssl/rootcrt.pem
In nss_ldap and ldap.conf I add folowing:
ssl start_tls
tls_cacertfile /usr/local/etc/openldap/ssl-client/rootcrt.pem
I start slapd with debugging:
/usr/local/libexec/slapd -u ldap -d 1
and making "id test" I get
"id: test: no such user"
And slapd debug:
slap_listener_activate(7):
>>> slap_listener(ldap:///)
connection_get(11): got connid=1000
connection_read(11): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
op tag 0x77, time 1284477158
ber_get_next
conn=1000 op=0 do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 11
connection_get(11): got connid=1000
connection_read(11): checking for input on id=1000
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(11): got connid=1000
connection_read(11): checking for input on id=1000
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(11): unable to get TLS client DN, error=49 id=1000
connection_get(11): got connid=1000
connection_read(11): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
op tag 0x42, time 1284477158
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 11 failed errno=0 (Undefined error: 0)
conn=1000 op=1 do_unbind
connection_close: conn=1000 sd=11
TLS trace: SSL3 alert write:warning:close notify
That's all. What's wrong? Where should I look at? What other
information should I post here?
I do not like this string:
"ber_get_next on fd 11 failed errno=0 (Undefined error: 0)"
But I do not know what that mean.