[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS



Hi!

  I have az error with LDAP starting over TLS. Some additional
information:

- I'm using Debian Sarge Linux
- testserver:/etc/ldap# ifconfig
eth1      Link encap:Ethernet  HWaddr 00:E0:7D:E8:3D:58
          inet addr:10.0.0.185  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:150597 errors:0 dropped:0 overruns:0 frame:0
          TX packets:38350 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:21494324 (20.4 MiB)  TX bytes:5396321 (5.1 MiB)
          Interrupt:11 Base address:0xa000
- testserver:/etc/ldap# host 10.0.0.185
Name: testserver.aitia
Address: 10.0.0.185
- testserver:/etc/ldap# openssl req -new -x509 -nodes -out slapd.pem
-keyout
slapdkey.pem -days 365
Generating a 1024 bit RSA private key
.....................................................................++++++
.....................++++++
writing new private key to 'slapdkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:HU
State or Province Name (full name) [Some-State]:Hungary
Locality Name (eg, city) []:Budapest
Organization Name (eg, company) [Internet Widgits Pty Ltd]:AITIA Rt.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:testserver.aitia
Email Address []:root@aitia.ai

I have tried with CA.sh, but the same was the problem
(http://www.openldap.org/faq/data/cache/185.html)

- I have modified the /etc/defaults/slapd with SLAPD_OPTIONS="-d 1 -h
ldaps:///"

At the end
testserver:/etc/ldap# /etc/init.d/slapd restart
Stopping OpenLDAP: slapd.
Starting OpenLDAP: slapd - failed.
The operation failed but no output was produced. For hints on what went
wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
try running the daemon in Debug mode like via "slapd -d 16383" (warning:
this will create copious output).

But If I run the slapd like this
slapd -d 1 -h ldaps:/// -f /etc/ldap/slapd.conf &
It started, but to search responded:

ldapsearch -x -H ldaps://localhost/ -b 'dc=aitia,dc=intra'

ldap_pvt_gethostbyname_a: host=testserver, r=0
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ber_scanf fmt (m) ber:
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
TLS certificate verification: depth: 0, err: -49, subject: -unknown-,
issuer: -unknown-
TLS certificate verification: Error, Unknown error
connection_read(12): unable to get TLS client DN error=49 id=0
ldap_bind: Can't contact LDAP server (81)
        additional info: TLS: hostname does not match CN in peer
certificate
testserver:/etc/ldap# connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next on fd 12 failed errno=104 (Connection reset by peer)
connection_read(12): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=12 for close
connection_close: conn=0 sd=12



What meen's this :

TLS certificate verification: depth: 0, err: -49, subject: -unknown-,
issuer: -unknown-
TLS certificate verification: Error, Unknown error
connection_read(12): unable to get TLS client DN error=49 id=0
ldap_bind: Can't contact LDAP server (81)
        additional info: TLS: hostname does not match CN in peer

why the hostname does't match?!

  Best Regards
bzg