[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Cannot get ldaps to work to 2.0.19 or 2.0.11
Hi James,
Thanks a lot for the reply. Unfortunately though, that doesn't seem to
be the real problem. I've tried running 2.0.19 as root but to no avail.
Also, 2.0.11 that I tested was actually on a pristine RH 7.2. Btw, if it
matters, I am using openssl-0.9.6b-8 that comes with RH7.2. Any other
ideas?
Thanks in advance
prasad
----- Original Message -----
From: "James Bourne" <jbourne@MtRoyal.AB.CA>
To: "Prasad A. Chodavarapu" <chprasad@hotmail.com>
Cc: <openldap-software@OpenLDAP.org>
Sent: Sunday, January 06, 2002 1:04 PM
Subject: Re: Cannot get ldaps to work to 2.0.19 or 2.0.11
> On Sun, 6 Jan 2002, Prasad A. Chodavarapu wrote:
>
> > I've been trying in vain to get my OpenLDAP installation (both
2.0.11
> > and 2.0.19) to work over SSL. I can get ldap:/// to work with all
> > clients i tried but ldaps:/// was a different story with every
client.
> >
> > I've searched the web, made sure that the hostname in my server
> > certificate resolves correctly but it didn't help either. One thing
I
> > haven't done is configure any of the clients with any certificates.
>
> Hi,
> Try running the ldap server as root. There seems to be a bug, either
with
> openssl 0.9.6(null,a,b) or with openldap (I think it is a problem in
openssl
> more then openldap) which does not allow the server to run as a
non-root
> user and properly use TLS... The Red Hat 7.2 distributed RPMS do work
> properly as a non-root user, and I've backported them (not very
difficult)
> to Red Hat 6.1 as well. You may want to look to those for your build
tips.
>
> Regards
> James Bourne
>
> >
> > My conf file contains the following TLS directives.
> >
> > TLSCertificateFile /usr/share/ssl/certs/slapd.pem
> > TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
> > #the following are not documented in the latest man page
> > TLSCACertificateFile /usr/share/ssl/certs/slapd.pem
> > TLSVerifyClient 0
> >
> > and finally, here's my debug trace.
> >
> > slapd starting
> > daemon: added 6r
> > daemon: added 7r
> > daemon: select: listen=6 active_threads=0 tvp=NULL
> > daemon: select: listen=7 active_threads=0 tvp=NULL
> > daemon: activity on 1 descriptors
> > daemon: new connection on 10
> > ldap_pvt_gethostbyname_a: host=cherish.aalayance.com, r=0
> > daemon: conn=0 fd=10 connection from IP=127.0.0.1:34267
> > (IP=0.0.0.0:31746) accepted.
> > daemon: added 10r
> > daemon: activity on:
> > daemon: select: listen=6 active_threads=0 tvp=NULL
> > daemon: select: listen=7 active_threads=0 tvp=NULL
> > daemon: activity on 1 descriptors
> > daemon: activity on: 10r
> > daemon: read activity on 10
> > connection_get(10)
> > connection_get(10): got connid=0
> > connection_read(10): checking for input on id=0
> > TLS trace: SSL_accept:before/accept initialization
> > tls_read: want=11, got=11
> > 0000: 80 7a 01 03 01 00 51 00 00 00 20
.z....Q...
> > tls_read: want=113, got=113
> > 0000: 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 66 00
> > ..............f.
> > 0010: 00 05 00 00 04 03 00 80 01 00 80 08 00 80 00 00
> > ................
> > 0020: 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00 60
> > e..d..c..b..a..`
> > 0030: 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00
> > ...........@....
> > 0040: 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02 00
> > ................
> > 0050: 80 06 5d 44 a0 bb d0 70 c0 ab 86 14 b5 20 6b ab
> > ..]D...p..... k.
> > 0060: 57 03 57 e2 20 56 28 dd b8 9f 41 fc 3b 54 4f ec W.W.
> > V(...A.;TO.
> > 0070: 18 .
> > TLS trace: SSL_accept:SSLv3 read client hello A
> > TLS trace: SSL_accept:SSLv3 write server hello A
> > TLS trace: SSL_accept:SSLv3 write certificate A
> > TLS trace: SSL_accept:SSLv3 write server done A
> > tls_write: want=875, written=875
> > 0000: 16 03 01 00 4a 02 00 00 46 03 01 3c 38 1d dd cd
> > ....J...F..<8...
> > 0010: e3 c0 c4 95 45 87 d1 4a 02 fe ea 22 26 0f 28 e2
> > ....E..J..."&.(.
> > 0020: 49 28 9a ea 72 1a bd a4 15 1e ea 20 46 6d 43 61
I(..r......
> > FmCa
> > 0030: 10 89 b1 bb 5c 6e b9 d7 fe fb 3d 4d 79 a3 de 0b
> > ....\n....=My...
> > 0040: ca 0a ec 12 7e 61 bc 16 cc 30 98 4f 00 0a 00 16
> > ....~a...0.O....
> > 0050: 03 01 03 0e 0b 00 03 0a 00 03 07 00 03 04 30 82
> > ..............0.
> > 0060: 03 00 30 82 02 69 a0 03 02 01 02 02 01 00 30 0d
> > ..0..i........0.
> > 0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 64 31
> > ..*.H........0d1
> > 0080: 0b 30 09 06 03 55 04 06 13 02 55 53 31 12 30 10
> > .0...U....US1.0.
> > 0090: 06 03 55 04 0a 13 09 41 61 6c 61 79 61 6e 63 65
> > ..U....Aalayance
> > 00a0: 31 1e 30 1c 06 03 55 04 03 13 15 63 68 65 72 69
> > 1.0...U....cheri
> > 00b0: 73 68 2e 61 61 6c 61 79 61 6e 63 65 2e 63 6f 6d
> > sh.aalayance.com
> > 00c0: 31 21 30 1f 06 09 2a 86 48 86 f7 0d 01 09 01 16
> > 1!0...*.H.......
> > 00d0: 12 63 68 61 70 40 61 61 6c 61 79 61 6e 63 65 2e
> > .chap@aalayance.
> > 00e0: 63 6f 6d 30 1e 17 0d 30 32 30 31 30 32 32 33 33
> > com0...020102233
> > 00f0: 39 35 35 5a 17 0d 30 33 30 31 30 32 32 33 33 39
> > 955Z..0301022339
> > 0100: 35 35 5a 30 64 31 0b 30 09 06 03 55 04 06 13 02
> > 55Z0d1.0...U....
> > 0110: 55 53 31 12 30 10 06 03 55 04 0a 13 09 41 61 6c
> > US1.0...U....Aal
> > 0120: 61 79 61 6e 63 65 31 1e 30 1c 06 03 55 04 03 13
> > ayance1.0...U...
> > 0130: 15 63 68 65 72 69 73 68 2e 61 61 6c 61 79 61 6e
> > .cherish.aalayan
> > 0140: 63 65 2e 63 6f 6d 31 21 30 1f 06 09 2a 86 48 86
> > ce.com1!0...*.H.
> > 0150: f7 0d 01 09 01 16 12 63 68 61 70 40 61 61 6c 61
> > .......chap@aala
> > 0160: 79 61 6e 63 65 2e 63 6f 6d 30 81 9f 30 0d 06 09
> > yance.com0..0...
> > 0170: 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30
> > *.H............0
> > 0180: 81 89 02 81 81 00 c3 60 b0 24 94 87 0a 4e bd 87
> > .......`.$...N..
> > 0190: 0d c6 44 16 d0 97 2a e0 32 72 68 c7 35 2e f8 4b
> > ..D...*.2rh.5..K
> > 01a0: 1b fd 1f 90 59 ea 92 bd a7 f9 f7 40 9b a5 1c a9
> > ....Y......@....
> > 01b0: 6c b9 b0 fc 3e 13 c4 ba 7e 10 62 01 b8 6c d7 9b
> > l...>...~.b..l..
> > 01c0: c3 c0 48 a9 f1 24 54 6a 4b 76 73 4e 20 38 81 b0
..H..$TjKvsN
> > 8..
> > 01d0: 07 39 f6 d4 6f 09 4d 28 40 7f db f4 cf f2 14 05
> > .9..o.M(@.......
> > 01e0: 29 1b 63 4d 98 5d ca a5 d3 30 5c 86 ad a8 f0
> > ).cM.]...0\....5
> > 01f0: 54 ee a9 59 53 d2 42 72 fe 67 04 05 46 cf e8 54
> > T..YS.Br.g..F..T
> > 0200: e2 04 bc aa 3f d5 02 03 01 00 01 a3 81 c1 30 81
> > ....?.........0.
> > 0210: be 30 1d 06 03 55 1d 0e 04 16 04 14 38 b3 c8 cb
> > .0...U......8...
> > 0220: ad 7d c5 1c 70 81 2b 59 71 15 a4 e8 09 0c a1 8a
> > .}..p.+Yq.......
> > 0230: 30 81 8e 06 03 55 1d 23 04 81 86 30 81 83 80 14
> > 0....U.#...0....
> > 0240: 38 b3 c8 cb ad 7d c5 1c 70 81 2b 59 71 15 a4 e8
> > 8....}..p.+Yq...
> > 0250: 09 0c a1 8a a1 68 a4 66 30 64 31 0b 30 09 06 03
> > .....h.f0d1.0...
> > 0260: 55 04 06 13 02 55 53 31 12 30 10 06 03 55 04 0a
> > U....US1.0...U..
> > 0270: 13 09 41 61 6c 61 79 61 6e 63 65 31 1e 30 1c 06
> > ..Aalayance1.0..
> > 0280: 03 55 04 03 13 15 63 68 65 72 69 73 68 2e 61 61
> > .U....cherish.aa
> > 0290: 6c 61 79 61 6e 63 65 2e 63 6f 6d 31 21 30 1f 06
> > layance.com1!0..
> > 02a0: 09 2a 86 48 86 f7 0d 01 09 01 16 12 63 68 61 70
> > .*.H........chap
> > 02b0: 40 61 61 6c 61 79 61 6e 63 65 2e 63 6f 6d 82 01
> > @aalayance.com..
> > 02c0: 00 30 0c 06 03 55 1d 13 04 05 30 03 01 01 ff 30
> > .0...U....0....0
> > 02d0: 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 81
> > ...*.H..........
> > 02e0: 81 00 b7 ca 5d f5 19 73 23 8a be 37 70 27 72 d2
> > ....]..s#..7p'r.
> > 02f0: fc 27 a3 a0 3f 53 ec bd c4 e3 73 5b c4 be 90 a6
> > .'..?S....s[....
> > 0300: 2c 9b 04 89 c5 44 77 f4 b8 80 95 8f eb b0 ca dc
> > ,....Dw.........
> > 0310: b1 79 c3 28 67 69 0a 37 fb 0f 08 b3 b1 06 88 4d
> > .y.(gi.7.......M
> > 0320: 44 a8 59 a6 5e 31 79 2b 80 2b 2a 9c 66 ba 1f a9
> > D.Y.^1y+.+*.f...
> > 0330: d0 87 06 23 41 3e 34 60 61 7a 0e d1 9b c9 ba ef
> > ...#A>4`az......
> > 0340: 0e 4e f5 c8 52 96 82 80 04 6a 5a cf af 9b 16 78
> > .N..R....jZ....x
> > 0350: 48 4d 59 a0 64 cb 51 5c cd c4 d7 b5 33 6d 71 ee
> > HMY.d.Q\....3mq.
> > 0360: de ef 16 03 01 00 04 0e 00 00 00
...........
> > TLS trace: SSL_accept:SSLv3 flush data
> > tls_read: want=5 error=Resource temporarily unavailable
> > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > daemon: select: listen=6 active_threads=0 tvp=NULL
> > daemon: select: listen=7 active_threads=0 tvp=NULL
> > daemon: activity on 1 descriptors
> > daemon: activity on: 10r
> > daemon: read activity on 10
> > connection_get(10)
> > connection_get(10): got connid=0
> > connection_read(10): checking for input on id=0
> > tls_read: want=5, got=5
> > 0000: 16 03 01 00 86 .....
> > tls_read: want=134, got=134
> > 0000: 10 00 00 82 00 80 9d 7f 0f 7c 68 77 f5 dc 25 11
> > .........|hw..%.
> > 0010: 67 85 b9 c9 af e1 86 f3 0d e8 01 de 62 81 c1 0f
> > g...........b...
> > 0020: bf c3 c6 46 d9 d2 6a 57 fa 44 6a 39 e9 e7 5a 82
> > ...F..jW.Dj9..Z.
> > 0030: bb 6e 26 bf 38 4e ba 1c 6c 93 69 45 b4 df ed 97
> > .n&.8N..l.iE....
> > 0040: b8 b7 5d 99 cf 33 d7 ab 7b a5 ca f9 59 49 a7 95
> > ..]..3..{...YI..
> > 0050: e3 26 72 40 1b 1a b0 4b 83 72 cd 97 b7 9a b2 6c
> > .&r@...K.r.....l
> > 0060: b7 3c 12 94 af 80 e0 38 7d 03 95 98 57 98 04 46
> > .<.....8}...W..F
> > 0070: 93 b7 93 9c 9b 57 f0 b8 62 45 6f a6 0e bd b4 63
> > .....W..bEo....c
> > 0080: b3 a4 6c ba 52 81 ..l.R.
> > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > tls_read: want=5, got=5
> > 0000: 14 03 01 00 01 .....
> > tls_read: want=1, got=1
> > 0000: 01 .
> > tls_read: want=5, got=5
> > 0000: 16 03 01 00 28 ....(
> > tls_read: want=40, got=40
> > 0000: 47 d9 a3 21 e4 15 4e 2f 0e 27 d9 d3 21 1a 8d c0
> > G..!..N/.'..!...
> > 0010: 44 26 0b 84 8f 28 84 aa 3b 5a 33 4f 12 b7 73 e8
> > D&...(..;Z3O..s.
> > 0020: 1f 7c 20 d7 8e 04 cb 3f .| ....?
> > TLS trace: SSL_accept:SSLv3 read finished A
> > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > TLS trace: SSL_accept:SSLv3 write finished A
> > tls_write: want=51, written=51
> > 0000: 14 03 01 00 01 01 16 03 01 00 28 c3 b2 49 93 b8
> > ..........(..I..
> > 0010: 91 05 2c e4 74 ec 7b 28 bd 93 7c dd d4 1d 88 24
> > ..,.t.{(..|....$
> > 0020: c3 5d 4c 6b 90 ba 3f 5b 3a 52 37 0b 60 ca 05 ff
> > .]Lk..?[:R7.`...
> > 0030: 3d f6 98 =..
> > TLS trace: SSL_accept:SSLv3 flush data
> > daemon: select: listen=6 active_threads=0 tvp=NULL
> > daemon: select: listen=7 active_threads=0 tvp=NULL
> > daemon: activity on 1 descriptors
> > daemon: activity on: 10r
> > daemon: read activity on 10
> > connection_get(10)
> > connection_get(10): got connid=0
> > connection_read(10): checking for input on id=0
> > ber_get_next
> > tls_read: want=5, got=0
> >
> > ldap_read: want=1, got=0
> >
> > ber_get_next on fd 10 failed errno=0 (Success)
> > connection_read(10): input error=-2 id=0, closing.
> > connection_closing: readying conn=0 sd=10 for close
> > connection_close: conn=0 sd=10
> > daemon: removing 10
> > conn=-1 fd=10 closed
> >
> > Thanks in advance
> > prasad
> >
>
> --
> James Bourne, Supervisor Data Centre Operations
> Mount Royal College, Calgary, AB, CA
> www.mtroyal.ab.ca
>
>
************************************************************************
******
> This communication is intended for the use of the recipient to which
it is
> addressed, and may contain confidential, personal, and or privileged
> information. Please contact the sender immediately if you are not the
> intended recipient of this communication, and do not copy, distribute,
or
> take action relying on it. Any communication received in error, or
> subsequent reply, should be deleted or destroyed.
>
************************************************************************
******
>
>