Re: Client says Can't contact LDAP server, but it can!

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Monday 28 July 2008 20:30:54 John Oliver wrote:
> On Mon, Jul 28, 2008 at 09:20:23AM +0200, Buchan Milne wrote:
> > Or, ensure that the "CA certificate" that the clients use contains the
> > certificates of the issuer of both of the server certificates, and that
> > the value of the subject CN on both certificates matches the name you use
> > to connect to the servers.
>
> I've tried:
>
> openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout
> server.pem -days 3650
>
> That should create a file with keys and certs all in one, right?  No
> possible misunderstanding about which is where.
>
> For the OU, I put the domain name.  I have also tried using the FQDN in
> a few variations.
>
> For the CN, I put the FQDN.

Just give us the output of:

openssl x509 -noout -subject -in server.pem

> I pointed TLSCertificateFile, TLSCertificateKeyFile, and
> TLSCACertificateFile at that file in slapd.conf, and restarted the LDAP
> service.
>
> And it doesn't work.

What? Provide the command that isn't working.

>
> On my test client, ldap.conf has:

Which ldap.conf ? The one 

> host 10.99.16.7

Please remove this from your configuration file, it is most likely going to 
confuse someone or something.

> base dc=mydomain,dc=com
> url ldaps://unix-services2.mydomain.com:636
> timelimit 120
> bind_timelimit 120
> idle_timelimit 3600
> ssl yes
> tls_cacertdir /etc/openldap/cacerts
> tls_checkpeer no
> pam_password md5
>
> If I change the "host" and "url" to the other LDAP server, it works
> perfectly.
>
> On the working server, in slapd.conf I have:
>
> TLSCertificateFile /etc/ssl/ldap.pem

Provide the output of 
openssl x509 -noout -subject -in /etc/ssl/ldap.pem

> TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
> TLSCACertificateFile /etc/ssl/ldap.pem
>
> Those files were created with:
>
> openssl req -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout
> /etc/openldap/ssl/ldap.pem -days 3650
>
> I created a second set of keys with that line on the non-working server
> in the same directories (/etc/ssl and /etc/openldap/ssl).  That didn't
> work either.
>
> On both servers, I can do:
>
> openssl s_client -connect localhost:636 -showcerts
>
> And get identical results (except for the FQDNs, of course, and the
> jumble of characters in the certificate).
>
> On a client pointed to the non-working server:
>
> [root@localhost ~]# ldapsearch -x
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope sub
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 32 No such object
>
> # numResponses: 1
>
> Supposedly, that means "it works", even though it doesn't.

You've provided a configuration file that looks ilke it is for 
nss_ldap/pam_ldap, then you conclude that something is working by running 
'ldapsearch -x'. I think most people on this list aren't following this logic 
...

> I don't know
> what to make of that.
>
> I just don't know where to go from here.  I've created certificates over
> and over and over again.

Why waste your time on creating bad certs? One or two are enough.

> Even if by accident, I'd have had to have done
> it right at least once.  On the other server, I did it once, and it
> worked.

You're assuming that the certificate itself is the problem.

> It looks like there must be some other variable... a config file,
> something, that has something else to do with this.

But, you provide very little information on what you have actually done, how 
you are determining that something is or isn't working, and the config files 
you have provided don't match the tools you are apparently testing with.

If you don't explain what you feel isn't working, we're going to have to 
guess.

Regards,
Buchan