On 2024-04-30 Elliott Mitchell <ehem+deb...@m5p.com> wrote: > On Tue, Apr 30, 2024 at 05:55:15AM +0200, Andreas Metzler wrote: > > On 2024-04-29 Elliott Mitchell <ehem+deb...@m5p.com> wrote: [...] > > > From `nslcd` on clients I was getting the message: > > > nslcd[12345]: [1a2b3c] <group/member="root"> failed to bind to LDAP > > > server ldaps://[fd12:3456:7890:abcd::3]/: Can't contact LDAP server: The > > > TLS connection was non-properly terminated.: Resource temporarily > > > unavailable [...] > > > Once I finally figured out `slapd`'s debug mode ('-h ldaps:/// ldapi:///' > > > is two arguments, the ldaps and ldapi are a single argument). I got > > > traces from `slapd`: (serial numbers filed off) > > > > > tls_read: want=5, got=5 > > > 0000: 16 03 01 01 8f > > > > > tls_read: want=399, got=399 > > > 0160: ............fd12 > > > 0170: :3456:7890:abcd: > > > 0180: :3.-.........@. > > > TLS: can't accept: A disallowed SNI server name has been received.. > > > connection_read(13): TLS accept failure error=-1 id=1005, closing [...] > > I guess you used the IPv6 address as either CN or Subject Alternative > > Name. Both take names, not IP addresses. There is a different field for > > IP addresses. > > > > gnutls-cli --port 636 fd12:3456:7890:abcd::3 > > > > will probably give more info. > > > > FWIW I have just generated a local test certificate with "IPAddress:" > > set to '::1' and things work for me as expected.
> Hmm, `gnutls-cli --port ldaps` gave a different result. The connection > successfully established and I was left being able to type to `slapd`. [...] > Anything further is purely guesswork. Hello, well you could post the complete output of gnutls-cli --port 636 fd12:3456:7890:abcd::3 perhaps even with -d10? I would reassign to openldap then if there are no obvious clues. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'