[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fedora and openldap

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: fedora and openldap
From: Rich Megginson <rich.megginson@gmail.com>
Date: Tue, 12 Apr 2011 13:49:33 -0600
Cc: Judith Flo Gaya <jflo@imppc.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:reply-to:user-agent :mime-version:to:cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=80T+ASNrH5WYGGHL4GWKcD5mvBS0NIoDRHxSrpvTumY=; b=qnxtPHJuc7yxbjyzZn0MqEeuTu93dq8H4PvnORbkqgJX4xpzypwVjOYIvOzYMqaQix BpdfVu4MH/LX/QcJXHMh9naywdS1DMimTX50jFE7JaTEzhghs1ftrHN+/QB2XPO8qxU6 s/yMxERBaQhdGfeMiInxZgswvxw2VfnL2H48Y=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=UWGxmNxljBMAO79zGSzI3bNM8+r41S/Q6ZYvePJ/jlvM3TE3csYedzW0AukV5Go3rm tBHvk+LZN8gog/q/1zztkOnfFXBRKA7/MZEFIns1yuu9GS/gkelIiaNJXucJawBVR6g3 VWR6O/FHZOsu4iWkBEv9oQZdj/vLQOvoBXTZM=
In-reply-to: <4DA4A479.70404@imppc.org>
References: <4D9B87A2.8040400@imppc.org> <201104091723.01247.harry.jede@arcor.de> <4DA2CE65.70006@imppc.org> <201104111314.34875.harry.jede@arcor.de> <4DA4876E.7000907@imppc.org> <38ACE42D42C9413E24A03D6F@[192.168.1.2]> <4DA4A479.70404@imppc.org>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110318 Red Hat/3.1.9-3.el6_0 Lightning/1.0b2pre Thunderbird/3.1.9

On 04/12/2011 01:14 PM, Judith Flo Gaya wrote:

Hello Quanah,


On 4/12/11 7:28 PM, Quanah Gibson-Mount wrote:
--On Tuesday, April 12, 2011 7:10 PM +0200 Judith FloGaya<jflo@imppc.org>
wrote:
( I installed a newer version of openldap in my server as the RH6uses an
old one, I compiled it with tls and openssl)

  From the client I do :
   ldapsearch -x -ZZ -d1 -h curri0.imppc.local:636
This is a startTLS request.  You are using LDAPS.  This will never work.

Try

ldapsearch -x -H ldaps://curri0.imppc.local:636/
It doesn't work either, still complains about not being able tocontact the server.
But now I see a different error:

ldapsearch -x -H ldaps://curri0.imppc.local:636 -d1
ldap_url_parse_ext(ldaps://curri0.imppc.local:636)
ldap_create
ldap_url_parse_ext(ldaps://curri0.imppc.local:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP curri0.imppc.local:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.19.5.13:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: could not initialize moznss using security dir/etc/openldap/cacerts - error -8174:Unknown code ___f 18.TLS: could not add the certificate (null) - error -8192:Unknown code___f 0.TLS: error: connect - force handshake failure -1 - error -8054:Unknowncode ___f 138
TLS: can't connect: .
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

If you are using /usr/bin/ldapsearch on Fedora 14 and later, it islinked with Mozilla NSS instead of openssl. But openldap with moznssworks the same as it does with openssl.

Do you have your CA cert on the client machine? If so, did you specifyit in /etc/openldap/ldap.conf or ~/.ldaprc? If not, you can alsospecify it on the command line like this:

LDAPTLS_CACERT=/path/to/ca_cert.pem ldapsearch -x -Hldaps://curri0.imppc.local:636/

See http://www.openldap.org/faq/data/cache/1514.html for informationabout how to use Mozilla NSS.



and this is what the server says:
slap_listener_activate(8):
>>> slap_listener(ldaps://curri0.imppc.local:636)
connection_get(12): got connid=1008
connection_read(12): checking for input on id=1008
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=1008
connection_read(12): checking for input on id=1008
TLS trace: SSL3 alert read:fatal:bad certificate
TLS trace: SSL_accept:failed in SSLv3 read client certificate A

TLS: can't accept: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3alert bad certificate.

connection_read(12): TLS accept failure error=-1 id=1008, closing
connection_close: conn=1008 sd=12

any clue? the error on the client side seems to indicate that theclient is trying to use the nss from the mozilla but I never meant tothis, openssl is installed.

Thanks a lot for your help.
j

instead.

--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Follow-Ups:
- Re: fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>

References:
- fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>
- Re: fedora and openldap
  - From: harry.jede@arcor.de
- Re: fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>
- Re: fedora and openldap
  - From: harry.jede@arcor.de
- Re: fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>
- Re: fedora and openldap
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>

Prev by Date: Re: fedora and openldap
Next by Date: Re: Database meta does not have any root node
Index(es):
- Chronological
- Thread