On Thu, Sep 27, 2001 at 10:58:45AM -0700, David Wright wrote:
>
> > # ldapsearch -h clan -D cn=Manager,dc=example,dc=com -w secret -L -x -ZZ
> > ldap_start_tls: Connect error
>
> I ran into a simliar problem and it turned out to be my cert; more recent
> OpenLDAPs are less tolerant of nonconformant certificates. In particular,
> the name in your cert must be exactly the correct FQDN of your server as
> returned e.g. by nslookup; an IP address won't do.
I think I've got that right.
I've generated a new.cert.cert and new.cert.key by doing the following:
# cd /usr/local/etc/openldap/SSL
Create key and request
# openssl req -new > new.cert.csr
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.....++++++
......++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:XX
State or Province Name (full name) [Some-State]:XXXXXXXXX
Locality Name (eg, city) []:XXXXXXXXXXXX
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXX
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:XXXXXXXXXXXXXXXXXXXXXXXXX
Email Address []:nik@freebsd.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
I've used XXX's in the above to obliterate some personal information.
I set the "Common Name" to the name of the host, as returned by
"hostname".
Then I removed the pass phrase from the key
# openssl rsa -in privkey.pem -out new.cert.key
read RSA key
Enter PEM pass phrase:
writing RSA key
Then I turned this in to a signed certificate.
# openssl x509 -in new.cert.csr -out new.cert.cert -req \
-signkey new.cert.key -days 365
Signature ok
subject=/C=XX/ST=XXXXXXXXX/L=XXXXXXXXXXXX/O=XXXXXXXXXXXXXXXXXX/CN=XXXXXXXXXXXXXXXXXXXXXXXXX/Email=nik@freebsd.org
Getting Private key
This leaves me with four files
new.cert.cert
new.cert.csr
new.cert.key
privkey.pem
I added these three lines to slapd.conf
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/local/etc/openldap/SSL/new.cert.cert
TLSCertificateKeyFile /usr/local/etc/openldap/SSL/new.cert.key
and run slapd as
# /usr/local/libexec/slapd -h 'ldap:/// ldaps:///' -d 9
> If this doesn't solve the problem, please:
> 1) Tell us whether ssl (ie ldaps) fails as well as tls.
Don't know. I don't have anything here that speaks ldaps. I'm trying
to get TLS working so that I can use
http://www.rudedog.org/auth_ldap/
which can't use SSL with OpenLDAP, just TLS.
> 2) Include the log info, even if you don't understand it.
@(#) $OpenLDAP: slapd 2.0.14-Release (Wed Sep 26 21:03:08 BST 2001) $
nik@clan.nothing-going-on.org:/local/1/usr/ports/net/openldap2/work/openldap-2.0.14/servers/slapd
daemon_init: listen on ldap:///
daemon_init: listen on ldaps:///
daemon_init: 2 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: initialized ldap:///
ldap_url_parse_ext(ldaps:///)
daemon: initialized ldaps:///
daemon_init: 2 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
slapd startup: initiated.
slapd starting
daemon: added 8r
daemon: added 9r
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
That's before I do the ldapsearch request.
I then run
# ldapsearch -h clan -D cn=Manager,dc=example,dc=com -w secret -L -x -ZZ
ldap_start_tls: Connect error
in another window, and the following is logged:
daemon: activity on 1 descriptors
daemon: new connection on 10
daemon: added 10r
daemon: activity on:
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ber_get_next on fd 10 failed errno=35 (Resource temporarily
unavailable)
do_extended
ber_scanf fmt ({a) ber:
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 10
daemon: select: listen=8 active_threads=1 tvp=NULL
daemon: select: listen=9 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next on fd 10 failed errno=0 (Undefined error: 0)
connection_read(10): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
daemon: removing 10
TLS trace: SSL3 alert write:warning:close notify
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
Any suggestions gratefully received.
N
--
Internet connection, $19.95 a month. Computer, $799.95. Modem, $149.95.
Telephone line, $24.95 a month. Software, free. USENET transmission,
hundreds if not thousands of dollars. Thinking before posting, priceless.
Somethings in life you can't buy. For everything else, there's MasterCard.
-- Graham Reed, in the Scary Devil Monastery
Attachment:
pgpssAPMRHXi6.pgp
Description: PGP signature