[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
having trouble getting ldaps to work
hi,
I'm trying to get the ldaps protocol to work. TLS on port 389 seems to work, but I have a thrid party app that want's to use ldaps on port 636.
Here is the error message from the debugging output (full output included below):
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:565
connection_read(13): TLS accept error error=-1 id=0, closing
I'd really appreciate it if someone could tell me what I'm doing wrong.
TIA
Peter Johnson
I configured with:
env CPPFLAGS="-I/usr/local/BerkeleyDB.4.1/include" LDFLAGS="-L/usr/local/BerkeleyDB.4.1/lib" ./configure --enable-ldbm --with-cyrus-sasl --with-tls
all the test completed.
searches on port 389 work even if the -Z (TLS) option is specified.
searches on port 636 fail:
/home/paj1> ldapsearch -h server3029.humboldt.edu -p 636 -x -D cn=manager,dc=humboldt,dc=edu -w xxxxxx uid=paj1
ldap_bind: Can't contact LDAP server
/home/paj1>
debugging w/ -d -1 results in:
slapd startup: initiated.
bdb_db_open: dc=humboldt,dc=edu
bdb_db_open: dbenv_open(/usr/local/var/openldap-data)
slapd starting
daemon: added 6r
daemon: added 7r
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: new connection on 13
ldap_pvt_gethostbyname_a: host=server3029.humboldt.edu, r=0
str2filter "(objectclass=*)"
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
begin get_filter
PRESENT
ber_scanf fmt (m) ber:
ber_dump: buf=0x08203720 ptr=0x08203720 end=0x0820372d len=13
0000: 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 ..objectclass
end get_filter 0
conn=0 fd=13 ACCEPT from IP=137.150.148.6:46937 (IP=0.0.0.0:636)
daemon: added 13r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 13r
daemon: read activity on 13
connection_get(13)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 30 31 02 01 01 60 2c 02 01 03 04 01...`,....
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:565
connection_read(13): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=13 for close
connection_close: conn=0 sd=13
daemon: removing 13
conn=0 fd=13 closed
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: shutdown requested and initiated.
daemon: closing 6
daemon: closing 7
slapd shutdown: waiting for 0 threads to terminate
slapd shutdown: initiated
TLSCACertificateFile /usr/local/etc/openldap/certs/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/certs/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/certs/serverkey.pem
TLSCipherSuite DHE-DSS-RC4-SHA:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EXP1024-RC4-MD5:EDH-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:DES-CBC3-SHA:DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:RC4-SHA:RC4-MD5:EXP-RC4-MD5:ADH-DES-CBC3-SHA:ADH-DES-CBC-SHA:EXP-ADH-DES-CBC-SHA:ADH-RC4-MD5:EXP-ADH-RC4-MD5:RC4-64-MD5:DES-CBC3-MD5:DES-CBC-MD5:RC2-CBC-MD5:EXP-RC2-CBC-MD5:RC4-MD5:EXP-RC4-MD5
TLSVerifyCLient never
I have the certificates setup per the instructions on the FAQ:
Here is part of the slapd.conf file: