[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: problem with ldapsearch/TLS ( or Fedora Core 2?? )

Sorry for the mess of HTML content, plain text content re-posted.

-----Original Message-----
From: Tay, Gary 
Sent: Monday, October 25, 2004 10:15 AM
To: 'Barrow H Kwan'; Jeff Warnica <jeffw
Cc: OpenLdap Software List; owner-openldap-software@OpenLDAP.org
Subject: RE: problem with ldapsearch/TLS ( or Fedora Core 2?? )

Looking at the last statment of the debugging output.
"error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake

If you were to search Google using info: "error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure".

You would notice that Howard has highlighted a common misunderstanding
among many have: TLS uses port 389 not 636:

Could you pls check if there is a port 636 statement in ldap.conf (at
client or server if u do local test), that should be changed to "PORT
389" or delete this "PORT 636" statement to use the implied default
which is PORT 389.

slapd should also be listening on port 389.

-----Original Message-----
TLS trace: SSL3 alert read:fatal:handshake failure 
TLS trace: SSL_connect:failed in SSLv3 read finished A 
TLS: can't connect. 
ldap_start_tls: Connect error (91) 
        additional info: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure 


Jeff Warnica <jeffw@chebucto.ns.ca> 
Sent by: owner-openldap-software@OpenLDAP.org 
10/22/2004 07:50 PM ToBarrow H Kwan <bhkwan@thoughtworks.com> 
ccOpenLdap Software List <openldap-software@OpenLDAP.org> 
SubjectRe: problem with ldapsearch/TLS  ( or Fedora Core 2?? )

On Thu, 2004-21-10 at 19:16 -0700, Barrow H Kwan wrote
> [root@myhost root]# ldapsearch -H ldap://myhost.domain.com -D
> uid=user1,ou=People,dc=Corporate,dc=Domain,dc=COM -x -W -ZZ 
> ldap_start_tls: Connect error (91) 
>        additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 
> : is it a problem with ldapsearch ? 

Unlikely. Does ldapsearch know about your CA certs? Note
that /etc/ldap.conf is for pam/nss _only_, everything else uses,
ie, /erc/openldap/ldap.conf ... at least with all the RH/Fedora RPMs.

If that doesn't work, run ldapsearch with "-d -1" and see if that gives
any hits.