[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem connecting using TLS

To: OpenLDAP <openldap-software@OpenLDAP.org>
Subject: Problem connecting using TLS
From: Robert Fitzpatrick <robert@webtent.com>
Date: 20 Oct 2003 09:38:31 -0400
Organization: WebTent Networking, Inc.

I have tried so many examples, the OpenLDAP FAQ, my OpenLDAP book, an
article from the Linux Journal. Nothing has helped me get TLS to work on
my OpenLDAP 2.1.23 server. I hope someone can shed some light I what I
may be doing wrong. I understand that you do not have to use the
'--with-tls' option, it is auto, when compiling openldap-2.1.23 and it
was not done. If this is my problem, stop there and let me know.

I create the cert and key per the OpenLDAP FAQ, setup ownership to the
ldap user on these files and make them 600 for the key and 644 for the
cert and cacert. Here is the slapd.conf configuration in the global
section:

TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/servercrt.pem
TLSCertificateKeyFile /etc/openldap/serverkey.pem

Server starts fine and my netstat shows the following:

[root /root]# netstat -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address        
State
tcp        0      0 192.168.1.16:636        0.0.0.0:*              
LISTEN
tcp        0      0 127.0.0.1:389           0.0.0.0:*              
LISTEN

I copy the cacert.pem to my RedHat Linux 9 workstation and verify it as
follows:

openssl s_client -connect hermes.webtent.org:636 -CAfile
/home/robert/cacert.pem
[...]
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID:
73C0D614B0850F5139E408CB3BB16B82509765CA06B6D50D1971073198B123DF   
Session-ID-ctx:
    Master-Key:
38350005EC9E0A41CA2A0578344C0901916867DCE15EC8C165EB655A1528FCFBB247A61BC1E1FB7A9082C25D679E3958
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1066655627
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

I put 'tls_cert /home/robert/cacert.pem' in my home directory in
.ldaprc. Trying to connect from the workstation produces the following:

[robert@columbus robert]$ ldapsearch -x -Z -b
"dc=hermes,dc=webtent,dc=org" -D
"cn=Manager,dc=hermes,dc=webtent,dc=org" -W "(ObjectClass=*)" -h
"hermes.webtent.org"
ldap_start_tls: Can't contact LDAP server
Enter LDAP Password:
ldap_bind: Can't contact LDAP server

Any ideas why I can't get connected?
-- 
Robert

Follow-Ups:
- Re: Problem connecting using TLS
  - From: Dieter Kluenter <dieter@dkluenter.de>
- Re: Problem connecting using TLS
  - From: Tony Earnshaw <tonye@billy.demon.nl>

Prev by Date: ldapadd not working ?
Next by Date: Re: ldap not very helpful
Index(es):
- Chronological
- Thread