[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS and Apple AddressBook.app or Directory Services in 10.3.4



Listers:

I've compiled and configured OpenLDAP 2.2.14 with OpenSSL version 0.9.7a and configured it to use TLS. I'm running it on RH Enterprise Linux 3.0 (technically, it's White Box Linux, a clone made from the RH SRPMs). While the OpenLDAP install was self compiled, the OpenSSL library was just the standard RH install.

On my Powerbook running OS X 10.3.4, I can use ldapsearch (against the Linux box) with ssl and it will search my directory just fine.

ldapsearch -x -ZZ -h 192.168.2.6   (that's the IP of my Linux box)

Also works lovely from the Linux console.

However, I cannot get Apple's Addressbook.app and/or Directory Services (used for login window authentication among other things) to search the LDAP directory. Running slapd with debugging turned on (-d 127) on the linux server, I get the following entries:

daemon: activity on 1 descriptors
daemon: new connection on 10
daemon: added 10r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10)
connection_get(10): got connid=30
connection_read(10): checking for input on id=30
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
  0000:  30 1d 02 01 01 77 18 80  16 31 2e                  0....w...1.
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
s23_srvr.c:585
connection_read(10): TLS accept error error=-1 id=30, closing
connection_closing: readying conn=30 sd=10 for close
connection_close: conn=30 sd=10
daemon: removing 10
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL

Besides the obvious of filing a bug report with Apple, has anyone tried this and got it to work and perhaps have some suggestions? Addressbook.app will search the directory fine if I don't use SSL.

I'm using a self signed certificate for the TLS sessions. I've imported the CA cert (self generated by openssl) into the OS X keychain per Apple's instructions. Other OS X services can use that CA to connect to other SSL servers whose certificates were signed with the same (such as IMAP or HTTP) without trouble.

Any help would be greatly appreciated.

Cheers!
-Joe