[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Connect to LDAP via ssl failed

To: "Rechenberg, Andrew" <arechenberg@shermfin.com>, <openldap-software@OpenLDAP.org>
Subject: Re: Connect to LDAP via ssl failed
From: "afardong" <afardong@263.sina.com>
Date: Sat, 7 Dec 2002 20:20:04 +0800
References: <8075D5C3061B9441944E137377645118012DCE@cinshrexc03.shermfin.com>

hi,

I've  followed the steps to generate the certificate and transfered it to our administrator of AD server for importing into the Personal Computer store and the Trusted Root CA store. However, I still can not connect that AD server via ssl with same error message "Cannot contact the LDAP server" which almost drive me mad. I doubted whether I had ignored some configuration with AD server.

Anyway, thanks for your help and kindness.

Have a nice day!:-)

Afar
_________________________________
Things would always be better than what we had expected...
So Try and Learn and Get more! :-)


----- Original Message ----- 
From: "Rechenberg, Andrew" <arechenberg@shermfin.com>
To: "afardong" <afardong@263.sina.com>; <openldap-software@OpenLDAP.org>
Sent: Friday, December 06, 2002 9:23 PM
Subject: RE: Connect to LDAP via ssl failed


> 
> You have to make sure that a private key is associated with the
> certificate that is generated.  If you have a Red Hat Linux installation
> available, it is quite easy to generate a certificate for use with your
> AD server.
> 
> For Red Hat do the following:
> 
> 1. Verify that OpenSSL is installed (rpm -q openssl).  Install if
> necessary.
> 2. cd /usr/share/ssl/certs/
> 3. make SOMEFILE.pem
> 4. Input the data requested.
> 5. openssl pkcs12 -export -in SOMEFILE.pem -out SOMEFILE.p12 -name
> "SOMENAMEHERE"
> 6. Transfer the p12 file to the AD server and import it into the
> Personal Computer store and the Trusted Root CA store.
> 
> Those are the exact steps I took and then I could use SSL with
> ldapsearch (which, I believe, uses the same ldap_* calls as you are
> trying to make with VC) to connect to our domain controllers.  
> 
> Hope this helps,
> Andy.
> 
> -----Original Message-----
> From: afardong [mailto:afardong@263.sina.com] 
> Sent: Thursday, December 05, 2002 8:31 PM
> To: Rechenberg, Andrew; openldap-software@OpenLDAP.org
> Subject: Re: Connect to LDAP via ssl failed
> 
> 
> hi, 
> 
> Thanks for your advice. Our administrator of AD server had genertaed a
> certificate, imported into Personal Computer store, and the Trusted Root
> CA store on itselfe before, but I still failed to connect the AD server
> from remote host via ssl. Here's the result I use openssl(in linux) to
> verify the cerfiticate of the AD server:
> ---
> New, TLSv1/SSLv3, Cipher is RC4-MD5
> Server public key is 1024 bit
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : RC4-MD5
>     Session-ID:
> 3D1400009BBAA03598DC56D949FC28D940924372EEF40AF8D8A37AD8A8A83F56
>     Session-ID-ctx:
>     Master-Key:
> D60476FD2077EC2A5D440EA81DE35FCAF9DAB3DA7537207724705C00ADE06693C839490F
> 7B2128F3E01E62FF72C21432
>     Key-Arg   : None
>     Start Time: 1039137298
>     Timeout   : 300 (sec)
>     Verify return code: 21 (unable to verify the first certificate)
> ---
> 
> I'd like to take your way to have a try while I don't kown how to
> generated a new certificate with openssl(in windows) and how to  import
> it into the Personal Computer store, and the Trusted Root CA store. 
> 
> Thanks a lot :-)
> 
> Afar
> _________________________________
> Things would always be better than what we had expected...
> So Try and Learn and Get more! :-)
> 
> 
> ----- Original Message ----- 
> From: "Rechenberg, Andrew" <arechenberg@shermfin.com>
> To: "afardong" <afardong@263.sina.com>; <openldap-software@OpenLDAP.org>
> Sent: Thursday, December 05, 2002 9:31 PM
> Subject: RE: Connect to LDAP via ssl failed
> 
> 
> 
> WRT Active Directory, I believe that the AD server has to have a valid
> certificate with the fully qualified domain name of the server as the CN
> in the certificate.  I had the same problem not being able to connect to
> an Active Directory via SSL with ldapsearch from Red Hat Linux and the
> certificate that was issued to the AD server by our MS CA had expired.  
> 
> I generated a new certificate with OpenSSL, imported it into the
> Personal Computer store, and the Trusted Root CA store on the AD server,
> and then I was able to use SSL with ldapsearch to connect to the AD
> server.
> 
> If I'm way off on this one, someone please correct me.
> 
> Regards,
> Andy.
> 
> 
> -----Original Message-----
> From: afardong [mailto:afardong@263.sina.com] 
> Sent: Thursday, December 05, 2002 1:38 AM
> To: openldap-software@OpenLDAP.org
> Subject: Connect to LDAP via ssl failed
> 
> 
> Hi,
> 
> I am trying to perform some searching jobs wish VC from remote LDAP
> Server or Active Directory. The job is divided into the following steps:
> ldap_init, ldap_set_option(version3),ldap_connect,ldap_bind_s, then
> ldap_search_s and print the results etc. The code runs well with those
> steps while I try to connect the remote LDAP Server via ssl, problem
> comes. Using the ldap_sslinit instead of ldap_init, I got error "Cannot
> contact the LDAP server." every time when doing ldap_connect. I use
> netstat to monitor the connection status and did find the code get
> connected with the remote server(port 636).
> 
> Could anyone give me some advices?Thanks:-)
> 
> afar
> 
> 
> 
> 
>

References:
- RE: Connect to LDAP via ssl failed
  - From: "Rechenberg, Andrew" <arechenberg@shermfin.com>

Prev by Date: RE: TLS questions...
Next by Date: Re: What to do after ldap_open() or ldap_initialize()
Index(es):
- Chronological
- Thread