Re: OpenLDAP starts, but...

[Pupeno <pupeno@pupeno.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Je Mardo Marto 15 2005 22:13, Kurt D. Zeilenga skribis:
> I don't believe Pupeno has expressed this publicly yet.
> As far as I can tell, he's using s_client against slapd.
> Where's the evidence (or his statement) that s_client is
> working against s_server (on the systems he's having
> problems with)?  If he's gotten s_client to work with
> s_server, and verify to report no errors... then he should
> say so.
I'm sorry, I've had some chat sessions with Quanah and I might have thought 
I've posted something that I didn't.

> And if s_client/s_server are working, what about ldapsearch(1)
> to s_server?
I haven't tried it. Let's see.

I start the server:

# openssl s_server -accept 1234 -cert /etc/ssl/certificate.pem 
- -key /etc/ssl/privatekey.pem
Using default temp DH parameters
ACCEPT

I run ldapsearch:

# ldapsearch -x -H ldaps://master.pupeno.com:1234

the server says:

- -----BEGIN SSL SESSION PARAMETERS-----
MHUCAQECAgMBBAIAOAQgWlBOzysTy23s7dCp0t3KMKXk4LtGT+8Hx0p6XyIoCDoE
MEcrHqRjqpNkTaR4kbZc5wzdX08SDJm7er6I+/6lD3qGiD9ozU9R9OsJyb/aoVs0
K6EGAgRCN5VrogQCAgEspAYEBAEAAAA=
- -----END SSL SESSION PARAMETERS-----
Shared 
ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:DHE-DSS-RC4-SHA:RC4-SHA:RC4-MD5:EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP1024-RC4-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
CIPHER is DHE-DSS-AES256-SHA
0
 `

and that's all. Do you see anything wrong here ?

Just for the record:
s_client -> s_server [works]
any browser -> apache [works]
s_client -> slapd [doesn't work]
ldapsearch -> slapd [doesn't work]

> >The OpenSSL verify command with the trusted CA from cacert.org works.
>
> Looks to me (from his OpenSSL post) that a verify command is
> returning errors.

I believe the errors are because there's no certification for cacert.pem, 
well, after all, it's a root certificate, the chain starts somewhere. Or do 
you know how to solve those errors ? If I run the command this way:

# openssl verify -CAfile /etc/ssl/certs/cacert.pem -purpose sslserver 
- -verbose/etc/ssl/certificate.pem
/etc/ssl/certificate.pem: OK

I don't get any error.

> >However, using the openssl client to request the cert from his OpenLDAP
> > server does not return a cert.  Testing the same thing against my ldap
> > servers returned a cert.
>
> Well, if ldapsearch(1) works to s_server on his system, and
> works against your server, I'd guess his server runtime
> environment hosed.  File permissions or something.
I had the a file permissions problems with the key and the certificate before, 
in that case, slapd doesn't even start.

Thank you.
- -- 
Pupeno: pupeno@pupeno.com - http://pupeno.com
Reading Science Fiction ? http://sfreaders.com.ar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCN5bLfW48a9PWGkURAiVJAJwKpB0RI+CygayIVt8XpnLzcM8gBQCeLNiE
9koV79HUeBdM7vBZ8DJzEqk=
=g9P/
-----END PGP SIGNATURE-----