[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP SSL errors



At 01:48 PM 7/31/2001, Chris Black wrote:
>I am trying to get OpenLDAP over SSL working so I can use it 
>securely for logins. I am running on SuSE 7.1 w/ OpenLDAP 2.0.7.
>I have setup slapd.conf with the following SSL options:
># SSL/TLS config
>TLSCertificateFile      /etc/openldap/server.pem
>TLSCertificateKeyFile   /etc/openldap/server.pem
>TLSCACertificateFile    /etc/openldap/server.pem
>TLSVerifyClient false
>
>
>The server.pem file was generated by:
>openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365
>
>I made sure that the common name was set to the FQDN of the ldap 
>server.
>
>On a client machine, I have ldap.conf setup as:
>HOST ldapserver
>BASE dc=sub,dc=domain,dc=com
>URI ldaps://ldapserver
>ssl yes
>
>
>On the ldap server I start in debug mode with:
>/usr/lib/openldap/slapd -d 1 -h "ldaps:///"
>and get:
>@(#) $OpenLDAP: slapd 2.0.7-Release (Mon Jun 18 20:50:20 GMT 2001) $
>        root@Hahn:/usr/src/packages/BUILD/openldap-2.0.7/servers/slapd
>daemon_init: listen on ldaps:///
>daemon_init: 1 listeners to open...
>ldap_url_parse(ldaps:///)
>daemon: socket() failed errno=97 (Address family not supported by protocol)
>daemon: initialized ldaps:///
>daemon_init: 1 listeners opened
>slapd init: initiated server.
>slap_sasl_init: initialized!
>slapd startup: initiated.
>slapd starting
>
>
>I am a bit concerned about the daemon socket() error but don't know 
>why it is happening.

Don't be.  It just means that slapd was built for IPv6 but
your system wasn't configured for it.


>After starting the ldap server in this way I try to run an 
>ldapsearch against it from a client:
>ldapsearch -H ldaps://ldapserver -x -b "" -s base

Use your FQDN as that's what's in your certificate.


>And get a segmentation fault on the client.

Use gdb to get a backtrace...

>The output from from the slapd server debug is:
>ldap_pvt_gethostbyname_a: host=mcnode1.EraGen.com, r=0
>connection_get(9): got connid=0
>connection_read(9): checking for input on id=0
>TLS trace: SSL_accept:before/accept initialization
>TLS trace: SSL_accept:SSLv3 read client hello A
>TLS trace: SSL_accept:SSLv3 write server hello A
>TLS trace: SSL_accept:SSLv3 write certificate A
>TLS trace: SSL_accept:SSLv3 write server done A
>TLS trace: SSL_accept:SSLv3 flush data
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>connection_get(9): got connid=0
>connection_read(9): checking for input on id=0
>TLS trace: SSL_accept:SSLv3 read client key exchange A
>TLS trace: SSL_accept:SSLv3 read finished A
>TLS trace: SSL_accept:SSLv3 write change cipher spec A
>TLS trace: SSL_accept:SSLv3 write finished A
>TLS trace: SSL_accept:SSLv3 flush data
>connection_get(9): got connid=0
>connection_read(9): checking for input on id=0
>ber_get_next
>ber_get_next on fd 9 failed errno=0 (Success)
>connection_read(9): input error=-2 id=0, closing.
>connection_closing: readying conn=0 sd=9 for close
>connection_close: conn=0 sd=9
>TLS trace: SSL3 alert write:warning:close notify
>
>
>The two lines I think might be interesting is the "error in SSLv3 
>read client certificate A"

Unless the client asserted a certificate, that's normal.

>and the line:
>ber_get_next on fd 9 failed errno=0 (Success)

just reporting what errno was at that point...

>ldap logins work if I don't use SSL so the problem must be with the 
>SSL functionality.
>
>I have been looking through the mailing list archives and have seen 
>people post with similar problems, but nobody seems to have 
>posted a fix as far as I have seen.
>
>Has anyone actually gotten OpenLDAP over SSL/TLS working?

Yes.

>If so, 
>could you please let me know what your config files look like?


#
# OpenLDAP public directory
#   ldap://ldap.openldap.org/
#

sasl-host   www.openldap.org
sasl-realm  OPENLDAP.ORG

TLSCipherSuite HIGH:MEDIUM
TLSCertificateFile  conf/server.pem
TLSCertificateKeyFile   conf/server.pem

include     conf/schema/core.schema
include     conf/schema/cosine.schema
include     conf/schema/inetorgperson.schema
include     conf/schema/openldap.schema

pidfile     var/slapd.pid
argsfile    var/slapd.args

database    ldbm
directory   var/ldbm
suffix      "dc=OpenLDAP,dc=org"
index objectclass eq

>What 
>you did differently than me?
>Also, if someone could tell me what some of the error messages 
>from the debug output mean,

Means the client crashed....

>I might be able to try a few things 
>and try to track it down. If I do find a fix and get this working, 
>I will post my solution.