[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS port 636 (ldaps) not working


Another person recently e-mailed me asking the same question...here is my
reply to him.  I hope it helps,


>>I know this is a long shot, but I was reading through some archived
>>posts on an ldap list, and I'm having the exact same TLS issue you had
>>in your June 2001 post.  I can get authentication to work over ldap://
>>but not ldaps:// and I'm getting the Address family not recognized.

>>I was just wondering if you ever got this to work?

---------- Forwarded message ----------
Date: Fri, 18 Jan 2002 03:57:22 -0600 (CST)
From: aaltepet@cs.und.edu
To: Terry Ewing <tewing@ap.org>
Subject: Re: OpenLDAP as an authentication server


Thanks for your e-mail.  I have since solved the problem, and I do
remember how I did it.

Here is what is happening:
It looks like you probably have the folloing host configuration in your
ldap.conf file:

host my.host:636

For some reason, when ldapsearch attempts to connect, it is pretty dumb.
Even though you have specified the secure port (636), it thinks that port
636 is a plain ldap port.  So, your ldap server recieves the connection on
port 636, expecting some 'secure' talk.  It doesn't recognize what it
sees because the packet that it gets is requesting a search.  Get it?
ldapsearch thinks thatport 636 is an insecure port.

So, how do you fix this?  The way I fixed this was this.  Instead of
specifying a host, I used the other method:  using the URI directive.
The format is basically the same:

URI ldaps://my.hostname.org

Using the URI is very nice, because you can specify whether to use a
secure port or not.  That information is specified when you say
'ldap://my.hostname.org' or 'ldaps://my.hostname.org'.  If you say
ldap://, then your tools will automatically use the insecure port.  IF you
say ldaps://, then your tools will use port 636.

Make sure you don't try host ldaps://my.hostname.org!  If you use the host
directive, it splits the text following it to be host:port.  It took me
about two weeks to figure that one out!

So, once you do that, it should be fine...just use URI ldaps://hostname

Also, if you are working on porting over authentication from
samba/apache/ftp, and what-not, beware that you will probably have to use
start_tls in those, so don't waste your time trying to get ssl
working...just go the tls route with start_tls...it's really easy!

Hope this advice has helped you.

On Fri, 18 Jan 2002, Terry Ewing wrote:

> Hello Andrew,
>    I ran across a post you made a while back to the openLDAP mailing list
> about a TLS error you had.  I've been having the same error and I was
> wondering if you had solved the problem.  I'm getting an error on my LDAP
> server whenever a client tries to use TLS to connect.
> daemon: activity on 1 descriptors
> daemon: new connection on 8
> daemon: added 8r
> daemon: activity on:
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: activity on: 8r
> daemon: read activity on 8
> connection_get(8): got connid=3
> connection_read(8): checking for input on id=3
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
> TLS: can't accept.
> TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> s23_srvr.c:565
> connection_read(8): TLS accept error error=-1 id=3, closing
> connection_closing: readying conn=3 sd=8 for close
> connection_close: conn=3 sd=8
> daemon: removing 8
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: select: listen=7 active_threads=0 tvp=NULL
> Like I said, I believe it is the same error you had posted about.  Your
> original post was back in July of 2001 so I'm not sure if you remember much
> about the fix to the problem.  I expect that I've just not done something
> correctly, esepcially as this is my first time setting up TLS within LDAP.
> If you can offer me any pointers I'd really be greatful.
> Thanks for your time,
> Terry Ewing