[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fedora and openldap



On 04/13/2011 05:02 AM, Judith Flo Gaya wrote:
Hello Rich,

On 04/12/2011 10:24 PM, Rich Megginson wrote:
On 04/12/2011 02:18 PM, Judith Flo Gaya wrote:
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.19.5.13:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS certificate verification: subject: -unknown-, issuer: -unknown-,
cipher: -unknown-, security level: off, secret key bits: 0, total key
bits: 0, cache hits: 0, cache misses: 0, cache not reusable: 0
TLS certificate verification: bad
TLS certificate verification: Error, -8182: Unknown code ___f 10
TLS: error: connect - force handshake failure -1 - error -8182:Unknown
code ___f 10
TLS: can't connect: .
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

It seems that it doesn't like the certificate.

-8182 is SEC_ERROR_BAD_SIGNATURE.  During the TLS/SSL handshake, the
client tries to see if the server's cert is correctly signed by the CA
cert (the local ca-cert.pem).

Now I have the same error but using the moznss certs, the certificate was copied from the server and the cert command confirms the status of the certificate (so it's not bad...

# ldapsearch -x -d1
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP server:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ip:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: using moznss security dir /etc/openldap/cacerts.
TLS certificate verification: subject: -unknown-, issuer: -unknown-, cipher: -unknown-, security level: off, secret key bits: 0, total key bits: 0, cache hits: 0, cache misses: 0, cache not reusable: 0
TLS certificate verification: bad
TLS certificate verification: Error, -8182: Unknown code ___f 10
TLS: error: connect - force handshake failure -1 - error -8182:Unknown code ___f 10
TLS: can't connect: .
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@curri2 ~]# certutil -d /etc/openldap/cacerts/ -L "name cert"

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

name cert                                                  CTu,u,u

# certutil -V -u V -d /etc/openldap/cacerts/ -n "name cert"
certutil: certificate is valid
please post the output of
certutil -L -d /etc/openldap/cacerts -n "name cert"

Also post the output of
openssl x509 -in /path/to/the/server-cert.pem -text

The server just complains about the tls communication:
 (TLS negotiation failure)

Do you think it is necessary to recompile the server so that the tls is done by moznss in both sides...
No.  That is not the problem.

Thanks for your help,
j