[Date Prev][Date Next] [Chronological] [Thread] [Top]
OpenLDAP (CDS), unable to use TLS

To: "'openldap-software@OpenLDAP.org'" <openldap-software@OpenLDAP.org>
Subject: OpenLDAP (CDS), unable to use TLS
From: Pravin Joshi <pjoshi@CHARJIV.com>
Date: Tue, 22 Oct 2002 18:55:55 +0530
Dear All,

Now IM able to generate the certificates. I have configured the slapd.conf
and ldap.conf as follows: (Please see the command output after files.)

******** START
1. SLAPD.conf
TLSRandFile     /var/symas/egd-pool
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /opt/symas/bin/ldapcert.pem
TLSCertificateKeyFile /opt/symas/bin/ldapkey.pem
TLSCACertificateFile /opt/symas/bin/cacert.pem

2.  LDAP.conf
BASE dc=TEST3,dc=TEST2,dc=myDomain,dc=com
URI ldap://TEST3.TEST2.myDomain.com ldap://TEST3.TEST2.myDomain.com:666
host TEST3.TEST2.myDomain.com
port 636
# Even if this is set to 'ssl yes', error remains the same.
ssl start_tls
TLS_CACERT /opt/symas/bin/cacert.pem


3.  Still im getting following error:
Command to query the DS.

# /opt/symas/bin/ldapsearch -d 9 -Z -W -D
"cn=Manager,dc=TEST3,dc=TEST2,dc=mydomain,dc=com" -b "" "(objectClass=*)"
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP TEST3.TEST2.myDomain.com:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 10.1.1.10:389
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_ndelay_off: 4
ldap_int_sasl_open: host=TEST3
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 4
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: TEST3.TEST2.myDomain.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Oct 22 08:35:46 2002

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_read: message type extended-result msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({iaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject:
/C=AU/ST=Some-State/O=
Internet Widgits Pty Ltd/CN=TEST3.TEST2.myDomain.com, issuer: /C=A
U/ST=Some-State/O=Internet Widgits Pty Ltd/CN=TEST3.TEST2.myDomain
.com
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE
:certificate verify failed
Enter LDAP Password:
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_flush: 64 bytes to sd 4
ldap_result msgid 2
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 2
wait4msg continue, msgid 2, all 1
** Connections:
* host: TEST3.TEST2.myDomain.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Oct 22 08:36:27 2002

** Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
read1msg: msgid 2, all 1
ber_get_next
ber_get_next failed.
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE
:certificate verify failed

******** END

I don't understand the steps to fix this problem. Please guide. Thanks.

Regards
Pravin Joshi
Prev by Date: Re: Approx search
Next by Date: old attribute type format not supported.
Index(es):
- Chronological
- Thread