[Date Prev][Date Next] [Chronological] [Thread] [Top]

FW: Problem in configuring SSL with openldap

Hi All,

I have successfully installed and built openLDAP and openSSL.
Now I need to configure SSL.
I have followed the link

These are the settings in my "slapd.conf"

TLSCipherSuite HIGH:MEDIUM TLSCertificateFile
TLSCertificateKeyFile /usr/local/etc/openldap/certs/privkey.pem
TLSCACertificateFile /usr/local/ssl/misc/demoCA/cacert.pem
TLSCACertificatePath /usr/local/ssl/misc/demoCA
#TLSRandFile <filename>
#TLSVerifyClient 0

These are the settings in my "ldap.conf"
# See ldap.conf(5) for details
# This file should be world readable but not world wr

BASE    dc=ad,dc=infosys,dc=com
URI     ldap:// ldap://
BINDDN  "cn=Manager,dc=ad,dc=infosys,dc=com"

SIZELIMIT       12
TIMELIMIT       25
#DEREF          never
TLS_CACERT /usr/local/ssl/misc/demoCA/cacert.pem

When I run the command "./slapd -h 'ldap://
ldaps://' -d 255 ", and try to connect to the SSL port,
I get the following error messages.

TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5, got=5
  0000:  15 03 01 00 02                                     .....
tls_read: want=2, got=2
  0000:  02 30                                              .0
TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: SSL_accept:failed
in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
connection_read(12): TLS accept failure error=-1 id=3, closing
connection_closing: readying conn=3 sd=12 for close
connection_close: conn=3 sd=12
daemon: removing 12
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: waked
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL

Could you please suggest what is the probable reason for this. Have I
configured something incorrectly. Earlier I had tried with a different
CA. But the issue was there. That's why I created the Demo Certification
Authority(using openssl). But the issue persists.

Monica Rana

-----Original Message-----
From: Sameer N Ingole [mailto:strike@proscrutiny.com]
Sent: Thursday, October 12, 2006 6:03 PM
To: Monica_Rana
Subject: Re: Problem in configuring SSL with openldap

Hi Monica,

Replying off list because this is more of a Solaris/OpenSSL issue.
Please ignore my last mail, it was obscure.

If you are referring to Openssl installation, you may want to take a
look at this http://www.sunfreeware.com/openssh8.html

Else download OpenSSL from:

If you are referring to OpenSSL source installation (downloaded from
openssl.org) then there are few things to note:
Sun does not ship include libraries (for Solaris 9, I guess) You would
want to compile shared version of libraries, it defaults to static By
default it is compiled gnu-shared so and for solaris you need to specify
solaris-shared instead of gnu-shared

So generally you would do this:
edit Configure script - find solaris-x86-gcc or solaris-sparcv9-gcc etc
as suitable
   *  Change "gnu-shared" to "solaris-shared".
   * add "-R/usr/local/ssl/lib " just before "-lsocket"

So now your configure command would look something like..

./Configure solaris-x86-gcc shared

Some of the above things might be inconsistent  as last time I worked on
solaris was 11 months back.


Sameer Ingole.

Monica_Rana wrote:
> Hi Sameer,
> I have followed the below mentioned steps:
> 1.  $ ./config
> 2.  $ make
> 3.  $ make test
> 4.  $ make install.
> All the options ran without any errors.
> Do I need to do anything extra?
> Regards,
> Monica Rana
> -----Original Message-----
> From: Sameer N Ingole [mailto:strike@proscrutiny.com]
> Sent: Thursday, October 12, 2006 2:34 PM
> To: openldap-software@openldap.org
> Cc: Monica_Rana
> Subject: Re: Problem in configuring SSL with openldap
> Did you custom compile Openssl?
> Did you install development libraries for Openssl?
> I suspect absence of development libraries is causing this problem.
> Also read http://www.columbia.edu/~ariel/ssleay/rsaref.html
> Regards,
> Sameer Ingole.
> http://weblogic.noroot.org/gallery2/
>> -----Original Message-----
>> From: Phillip [mailto:phuang@plasmon.cn]
>> Sent: Thursday, October 12, 2006 1:07 PM
>> To: Monica_Rana
>> Cc: openldap-software@openldap.org
>> Subject: Re: Problem in configuring SSL with openldap
>> Monica,
>> Maybe you've take a mistake in setting "env", just try:
>> env CPPFLAGS="-I/usr/local/include -I/usr/local/ssl/include -
>> I/usr/local/db4/include"  LDFLAGS="-L/usr/local/ssl/lib -
>> L/usr/local/db4/lib" ./configure --with-tls --with-cyrus-sasl
>> --enable- wrappers --enable-crypt --enable-bdb
>> You'd better verify the "include" and "lib" path for SSL and DB.
>> Regards,
>> Phillip
>> On Thu, 2006-10-12 at 12:18 +0530, Monica_Rana wrote:
>>> Hi All,
>>> I have the following installed on solaris 8.
>>> openLDAP 2.3.27
>>> openSSL 0.9.8b.
>>> when i try to configure using the command env
>>> CPPFLAGS="-I/usr/local/include -I/usr/local/include/ssl -
>>> I/usr/local/include/db4"
>>>     LDFLAGS="-L/usr/local/ssl/lib -L/usr/local/lib/db4"
>>>     ./configure --with-tls --with-cyrus-sasl --enable-wrappers --
>>> enable-crypt --enable-bdb it throws the error checking for
>>> openssl/ssl.h... yes checking for SSL_library_init in -lssl... no
>>> checking for ssl3_accept in -lssl... no checking OpenSSL library
>>> version (CRL checking capability)... yes
>>> configure: error: Could not locate TLS/SSL package.
>>> Please let me know what could be the possible reson behind. PFA the
>>> config.log file.
>>> Regards,
>>> Monica Rana

**************** CAUTION - Disclaimer *****************
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system.
***INFOSYS******** End of Disclaimer ********INFOSYS***