[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bind failing under ssl

The logs you've attached contain no pertinent details and are thus useless. Run slapd in debug mode with some more useful detail level and collect that output. Also use the ldapsearch tool with -d1 and collect the client side debug output at the same time.

Note to All: Since syslog drops log messages if they come in too fast, it is generally unproductive to use syslog output as a debugging aid. The only valid use for syslog is to record an audit trail of a normally operating server. Everything else should be done using the debug flag.

Thomas Bolioli wrote:

I have confirmed that this is an issue with the bind and not with the ssl. I used the open ssl test client and the entire ssl portion of the protocol conversation worked as advertised (there were no self signed certs in the mix either). For some reason, slapd will not bind to the rootdn and rootpw (I have not tried to use regular users yet) when running under ssl. Is there something I am missing here?

Thomas Bolioli wrote:

When I connect to my ldap server using plain ol' 389 everything works just dandy. When I connect to it via ssl, the connection is made, ssl appears to handshake, but the bind fails. Below are the slapd logs. Any ideas with this one. I have added in a valid ca cert and have a valid wildcard cert.
It seems to be a pretty popular problem around these parts but no one seems to have posted a solution.

# To allow TLS-enabled connections, create /etc/ssl/openldap/ldap.pem
# and uncomment the following lines.
TLSRandFile            /dev/random
TLSCipherSuite         HIGH:MEDIUM:+SSLv2
TLSCertificateFile      /etc/ssl/openldap/ldap.pem
TLSCertificateKeyFile   /etc/ssl/openldap/ldap.pem
TLSCACertificatePath   /etc/ssl/
TLSCACertificateFile    /etc/ssl/cacert.pem
#TLSCACertificateFile    /etc/ssl/openldap/ldap.pem
TLSVerifyClient never # ([never]|allow|try|demand)

Apr 25 16:06:07 nova slapd[3670]: daemon: activity on 1 descriptors

 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support