[Date Prev][Date Next]
Re: Using NSS
On Thu, 2011-10-27 at 13:55 -0600, Rich Megginson wrote:
> On 10/27/2011 12:05 PM, Braden McDaniel wrote:
> > On Thu, 2011-10-27 at 08:44 -0600, Rich Megginson wrote:
> > [snip]
> >> What is your /etc/openldap/ldap.conf?
> > That question led me to a bogus setting for TLS_CACERTDIR. First, I
> > tried simply commenting the line out, figuring the value of
> > olcTLSCACertificatePath in cn=config.ldif would be used.
> No, the client cannot use cn=config.ldif - that is for the server only.
> The server cannot use ldap.conf - that is for the client only.
Okay... With this in mind, I changed ldap.conf to use TLS_CACERT to
point to a .pem file as generated by:
# certutil -d /etc/pki/nssdb -L -n "endoframe" -a >
That gets me here:
# ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1
ldap_new_connection 1 1 0
ldap_connect_to_host: TCP rail:636
ldap_connect_to_host: Trying ::1 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: loaded CA certificate
TLS: error: tlsm_PR_Recv returned 0 - error 21:Is a directory
TLS: error: connect - force handshake failure: errno 21 - moznss
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> Never seen that - I have no idea why you would get an EEXIST at this
> point in the code. I suggest turn on debugging on the server and see
> what it thinks is happening.
There were apparently some selinux issues that accounted for the
previous errors. Once those were resolved, the above search yields this
from the server (run with -d1):
connection_get(14): got connid=1000
connection_read(14): checking for input on id=1000
TLS: using moznss security dir /etc/pki/nssdb prefix .
TLS: certificate [CN=Endoframe] is not valid - error -8102:Unknown code ___f 90.
TLS: error: unable to find and verify server's cert and key for certificate endoframe
TLS: error: could not initialize moznss security context - error -8102:Unknown code ___f 90
TLS: can't create ssl handle.
connection_read(14): TLS accept failure error=-1 id=1000, closing
connection_close: conn=1000 sd=14
So I screwed up the certificate. I'm just not sure how.
Braden McDaniel <firstname.lastname@example.org>