[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and SSL

To: openldap-software@OpenLDAP.org
Subject: Re: LDAP and SSL
From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>
Date: Sun, 28 Nov 2004 21:30:45 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=E0dtrmYPJuOjzWLj5zCQr9H5kB/RtvshM4b3k1RjgRWfgdcatvmDIdxEQFadm7o0KRcBiTc8OtW2tyqaK2qh5IvBK8Wd9zgPII8zq4DgbHAI6dnYCdnVoeivbXkJjb+/HMxopUN7GSceTrD6rSxQw4kB3KVJgKWZrAt6nX1nf2A=
In-reply-to: <Pine.OSX.4.58.0411282026360.387@spud.local>
References: <91f88ee204112810284d745e7f@mail.gmail.com> <Pine.OSX.4.58.0411282026360.387@spud.local>

On Sun, 28 Nov 2004 20:33:38 -0500 (EST), Steve Revilak
<srevilak@speakeasy.net> wrote:

> This seems to indicate that `newcert.pem' does not contain an rsa key.
> pem's are just text files.  An rsa key will look like this:
> 
>   -----BEGIN RSA PRIVATE KEY-----
>   [base64 encoded representation of rsa key]
>   -----END RSA PRIVATE KEY-----
> 
> While not specific to openldap software, the mod_ssl folks have a nice
> set of how-to's for working with ssl certificates:
> 
>   http://www.modssl.org/docs/2.8/ssl_faq.html#ToC24

I have gotten to the point where:

debian:/etc/ldap# openssl verify -verbose -CAfile \
/etc/ldap/cacert.pem /etc/ldap/servercrt.pem [enter]

Returns:

/etc/ldap/servercrt.pem: OK

And the slapd starts without error -- however it appears to hang after trying:

debian:~# ldapsearch -x -b 'dc=insecurity,dc=org' -D
"cn=admin,dc=insecuirty,dc=org" '(objectclass=*)' -H
ldaps://192.168.2.2 -W
Enter LDAP Password: 

[log partial output] -

slapd startup: initiated.
bdb_db_open: dc=insecurity,dc=org
bdb_db_open: dbenv_open(/var/lib/ldap)
slapd starting
daemon: added 6r
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: new connection on 11
ldap_pvt_gethostbyname_a: host=debian, r=0
str2filter "(objectclass=*)"
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
begin get_filter
PRESENT
ber_scanf fmt (m) ber:
ber_dump: buf=0x000f5eb8 ptr=0x000f5eb8 end=0x000f5ec5 len=13
  0000:  87 0b 6f 62 6a 65 63 74  63 6c 61 73 73            ..objectclass     
end get_filter 0
conn=0 fd=11 ACCEPT from IP=192.168.2.2:32791 (IP=0.0.0.0:636)
daemon: added 11r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 11r
daemon: read activity on 11
connection_get(11)
connection_get(11): got connid=0
connection_read(11): checking for input on id=0
tls_read: want=5, got=5
  0000:  16 03 01 00 44                                     ....D             
tls_read: want=68, got=68
  0000:  01 00 00 40 03 01 41 aa  88 d6 5a 37 36 d7 bc c4   ...@..A...Z76...  
  0010:  ff 7e 3a 2c d6 66 06 40  c6 05 68 47 fc 76 12 75   .~:,.f.@..hG.v.u  
  0020:  6f a1 84 7f 2a 7b 00 00  18 00 33 00 16 00 39 00   o...*{....3...9.  
  0030:  2f 00 0a 00 35 00 05 00  04 00 32 00 13 00 38 00   /...5.....2...8.  
  0040:  66 02 01 00                                        f...              

I cannot troubleshoot when there arent any errors =/

-- 
WC -Sx- Jones
http://insecurity.org/

Follow-Ups:
- Re: LDAP and SSL
  - From: Ron Peterson <rpeterso@mtholyoke.edu>
- Re: LDAP and SSL
  - From: Ron Peterson <rpeterso@mtholyoke.edu>

References:
- LDAP and SSL
  - From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>
- Re: LDAP and SSL
  - From: Steve Revilak <srevilak@speakeasy.net>

Prev by Date: Re: LDAP and SSL
Next by Date: Re: Question about syntax check and back-sql
Index(es):
- Chronological
- Thread