On Thu, 30 Jan 2014, c chupela wrote:
> further troubleshooting on my part with ldapsearch/debugging turned up, gave me the
following:
>
> TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix=" keyPrefix=" flags=readOnly
> TLS: using moznss security dire /etc/openldap/certs prefix
> TLS: error: tlsm_PR_Recv returned 0 - error 21:Is a directory
> TLS: error: connect - force handshake failure: errono 21 - moznss error -5938
> TLS: can't connect: TLS error -5938:Encountered end of file
> ldap_err2string
> ldap_sasl_bin(SIMPLE): Can't contact LDAP server (-1)
>
> searches I;ve done on this error seem to point to certificate/openSSL problems.
>
> Anyone run into this before?
Sure, others have. For example,
http://www.openldap.org/lists/openldap-technical/201202/msg00460.html shows somebody working through their certificate configuration.
Your original message mentioned that this was a test server. The debugging
output indicates that you're using MozNSS, not OpenSSL. Personally, I'd
give a long and sober thought to deploying a server with MozNSS as the
crypto provider. You may be able to get your tests working after spending
some quality time with certutil(1), but those efforts may be better spent
researching alternate builds that utilize OpenSSL.
> On Friday, January 24, 2014 5:39 PM, c chupela <
cnctema68@yahoo.com> wrote:
> After having some packet traces done, what was revealed is that from a windows client running the softerra ldap browser, we could see the connection be established between client and server (syn, ack synack)
> client requests sending of data, and server resets/closes the connection, never sending any data, as I also saw with attempting to telnet to port 636 - connection is closed by remote host.
>
> Regarding the question of is TLS enabled, if I understand the doc correctly, the answer is yes. With respect to the TLS_REQCERT never statement, I believe it was set this way because this was only intended
> to be a testing server.
>
> contents of ldap.conf:
>
>
#
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> BASE dc=plandb,dc=stuff,dc=acme,dc=com
> URI ldap://plandb-qa.stuff.acme.com ldaps://plandb-qa.stuff.acme.com:636
>
> #SIZELIMIT 12
> #TIMELIMIT 15
> #DEREF never
>
> TLS_CACERTDIR /etc/openldap/certs
> TLS_REQCERT never
>
>
> currently running slapd process:
>
> 1 S ldap 5603 1 0 80
0 - 111440 futex_ Jan21 ? 00:00:02 /usr/sbin/slapd -h ldap:/// ldaps:/// ldapi:/// -u ldap
>
>
> On Thursday, January 23, 2014 3:25 AM, Ulrich Windl <
Ulrich.Windl@rz.uni-regensburg.de> wrote:
> >>> c chupela <
cnctema68@yahoo.com> schrieb am 22.01.2014 um 18:43 in Nachricht
> <
1390412584.5499.YahooMailNeo@web140101.mail.bf1.yahoo.com" href="mailto:
1390412584.5499.YahooMailNeo@web140101.mail.bf1.yahoo.com">
1390412584.5499.YahooMailNeo@web140101.mail.bf1.yahoo.com>:
> > I've been tasked with figuring out why a redhat 6.4 server w/openldap
v2.4.23
> > is not accessible.
> > This server is a test server. I have a production server that is working
> > properly, and I've gone thru and compared config files, etc, but haven't
> > found any differences.
> >
> > I'm a newbie with this, so my understanding is still somewhat limited.
> > Here's what I've done or checked so far:
> >
> > - iptables is not running
> > - if I run netstat, I can see port 389/port 636 in listening state:
> >
> > tcp 0 0 0.0.0.0:636 0.0.0.0:*
> > LISTEN
5603/slapd
> > tcp 0 0 0.0.0.0:389 0.0.0.0:*
> > LISTEN 5603/slapd
> > tcp 0 0 :::636 :::*
> > LISTEN 5603/slapd
> > tcp 0 0 :::389 :::*
> > LISTEN 5603/slapd
> >
> > I can telnet to port 389 on this server from another server, but not to port
> > 636 - putty will throw back an immediate 'connection closed by remote host'
> > message.
> >
> > I'm not seeing any slapd related messages in /var/log/messages.
> >
> > What else can I check on here?
>
> Syslog
>
> >
> > Thanks
> > Chris
>
>
>
>
>
>
>
>
>
>