ldapsearch from csdk doing SSL-encrypted connection to openldap failed.

Tue, 16 Feb 2010 11:20:18 -0800 

Hello,

I have a openldap 2.2.5 running. The openldap is configed with
slapd.conf (part):
==========
sasl-secprops   none
sasl-host       iclab062.ic.acme.com
sasl-realm      IC.ACME.COM
loglevel        4

TLSCACertificateFile /tmp/acme_demo_cert_ca.crt
TLSCertificateFile /tmp/acme_demo_cert.crt
TLSCertificateKeyFile /tmp/acme_demo_key.key


I used the ldapsearch from mozilla ldap c-sdk doing sasl GSSAPI, it
worked no problem:
./ldapsearch -v -h 10.230.34.88 -3 -p 9001 -o "mech=GSSAPI" -b
"ou=People,o=Intel" '(objectclass=*)'


Now, I tried to add ldap search over ssl layer, it always failed:

1:) I had the cert and key store generated at:
>ls /tmp/ldapdatabase1/
total 120
 4 ./  20 ../  64 cert8.db  16 key3.db  16 secmod.db


====================
FYI, I used the tool from library to generated the db and certutil
listed "acme-demo", so the db seems good.

ldapcsdk_6.0.4-1/mozilla_ldap/security/nss/cmd/modutil/
Linux2.6_x86_64_glibc_PTH_64_OPT.OBJ/modutil -create -dbdir /tmp/
ldapdatabase1/
openssl pkcs12 -export -in /tmp/acme_demo_cert.crt  -inkey /tmp/
acme_demo_key.key -CAfile /tmp/acme_demo_cert_ca.crt  -out
acme_demo.pk12 -name \"acme-demo\"
ldapcsdk_6.0.4-1/mozilla_ldap/security/nss/cmd/pk12util/
Linux2.6_x86_64_glibc_PTH_64_OPT.OBJ/pk12util -i acme_demo.pk12 -d /
tmp/ldapdatabase1/
ldapcsdk_6.0.4-1/mozilla_ldap/security/nss/cmd/certutil/
Linux2.6_x86_64_glibc_PTH_64_OPT.OBJ/certutil -L -d /tmp/
ldapdatabase1/


2:) do ssl connection to ldap server like below (I just add -K and -P -
Z options more than above):
=====
./ldapsearch -v -h 10.230.34.88 -3 -p 9001 -o "mech=GSSAPI" -b
"ou=People,o=Intel" -K /tmp/ldapdatabase1/key3.db -P /tmp/
ldapdatabase1/cert8.db -Z '(objectclass=*)'

I got:
        ldapsearch: started Tue Feb 16 13:05:58 2010
        ldap_init( 10.230.34.88, 9001 )
        Bind Error: Can't contact LDAP server

On the openldap server side:
        connection_get(9): got connid=2
        connection_read(9): checking for input on id=2
        ber_get_next
        ber_get_next: tag 0x80 len 52 contents:
        ber_get_next on fd 9 failed errno=0 (Success)
        connection_read(9): input error=-2 id=2, closing.
        connection_closing: readying conn=2 sd=9 for close
        connection_close: conn=2 sd=9

If I use ldapsearch from openldap, ssl connection worked well. But
there is something wrong with my mozilla ldapsearch.

Did anyone have ever ssl connected to openldap before?
Is my slapd.conf for the ssl connection config fine?
Is there anything obvious wrong in my setup?
I have no too much clue about it now, Can anyone help me solve this
problem?
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap

Reply via email to