[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fedora and openldap

To: Quanah Gibson-Mount <quanah@zimbra.com>
Subject: Re: fedora and openldap
From: Judith Flo Gaya <jflo@imppc.org>
Date: Tue, 12 Apr 2011 21:57:24 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>, "harry.jede@arcor.de" <harry.jede@arcor.de>
In-reply-to: <7DC7B756EB42BF2C152A89BD@[192.168.1.2]>
References: <4D9B87A2.8040400@imppc.org> <201104091723.01247.harry.jede@arcor.de> <4DA2CE65.70006@imppc.org> <201104111314.34875.harry.jede@arcor.de> <4DA4876E.7000907@imppc.org> <38ACE42D42C9413E24A03D6F@[192.168.1.2]> <4DA4A479.70404@imppc.org> <7DC7B756EB42BF2C152A89BD@[192.168.1.2]>
User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Lightning/1.0b2 Thunderbird/3.1.7

I changed the ldap.conf file in the client so instead of TLS_CACERTDIRnow I'm using TLC_CACERT <file.pem>

and the error now is this one:
# ldapsearch -x -d1 #it's the same error if I set -H server
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP curri0.imppc.local:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.19.5.13:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0

TLS: error: connect - force handshake failure -1 - error -8054:Unknowncode ___f 138

TLS: can't connect: .
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

and the server says:
slap_listener_activate(8):
>>> slap_listener(ldaps://curri0.imppc.local:636)
connection_get(12): got connid=1034
connection_read(12): checking for input on id=1034
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=1034
connection_read(12): checking for input on id=1034
TLS trace: SSL3 alert read:fatal:bad certificate
TLS trace: SSL_accept:failed in SSLv3 read client certificate A

TLS: can't accept: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3alert bad certificate.

connection_read(12): TLS accept failure error=-1 id=1034, closing
connection_close: conn=1034 sd=12

I can't understand why the server complains about a bad certificate,when the client certificate was generated there :O by the openssl libraries.


As said, thanks a lot for your time,
j

On 4/12/11 9:33 PM, Quanah Gibson-Mount wrote:

--On Tuesday, April 12, 2011 9:14 PM +0200 Judith Flo Gaya<jflo@imppc.org>
wrote:

Hello Quanah,
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: could not initialize moznss using security dir /etc/openldap/cacerts

It sounds to me like you linked it against MozNSS instead of OpenSSL.  I
would suggest you rebuild it with --with-tls=openssl

--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Follow-Ups:
- Re: fedora and openldap
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>
- Re: fedora and openldap
  - From: harry.jede@arcor.de
- Re: fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>
- Re: fedora and openldap
  - From: harry.jede@arcor.de
- Re: fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>
- Re: fedora and openldap
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>
- Re: fedora and openldap
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: fedora and openldap
Next by Date: Re: fedora and openldap
Index(es):
- Chronological
- Thread