[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mirrormode and cn=config

To: Mathieu MILLET <ldap@htam.net>
Subject: Re: Mirrormode and cn=config
From: Peter Mogensen <apm@mutex.dk>
Date: Wed, 25 Mar 2009 17:17:40 +0100
Cc: openldap-software@openldap.org
In-reply-to: <8ffe8771d20a633b899c6763c9a7930c@localhost>
References: <8ffe8771d20a633b899c6763c9a7930c@localhost>
User-agent: Thunderbird 2.0.0.21 (X11/20090318)

Mathieu MILLET wrote:

On Wed, 25 Mar 2009 15:09:09 +0100, Peter Mogensen <apm@mutex.dk> wrote:
I have problem with SASL/EXTERNAL and TLS. The server can't seem to find the client certificate. I'm using slapd from Debian Lenny and Ubuntu Hardy, and it's probably due to GnuTLS problems. I get error from slapd like: "TLS: can't accept: A TLS packet with unexpected length was received.."


Oh ... forget this one. I found the reason for this. It was my fault.

"unable to get TLS client DN, error=-4 id=0" Are GnuTLS just completely broken on Debian Lenny or can this be made to work?
Which version of OpenLDAP are you using ?
If using 2.4.15, the ldap "client" libs have broken SASL/EXTERNAL
implementation. These libs are also used for consumer to connect to
provider.

2.4.9-0ubuntu0.8.0 I haven't checked which upstream version the patches makes it equivalent to though.

Doing: ldapwhoami -YEXTERNAL -H ldaps://server:389/ I'm stepping through the SSL handshake with wireshark and it seems to get all the way through to the servers ChangeChipherSpec/Finish stage after which the client sends a TCP FIN,ACK.

slapd output is:
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
connection_read(10): unable to get TLS client DN, error=-4 id=11
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
ber_get_next
ber_get_next on fd 10 failed errno=0 (Success)
connection_closing: readying conn=11 sd=10 for close
connection_close: conn=11 sd=10

According to wireshark it's TLSv1.1. I think I read somewhere that GnuTLS don't like that, but I can't figure out how do downgrade to TLSv1.0

/Peter

References:
- Re: Mirrormode and cn=config
  - From: Mathieu MILLET <ldap@htam.net>

Prev by Date: Re: Mirrormode and cn=config
Next by Date: Re: Problem with searches
Index(es):
- Chronological
- Thread