On Feb 16, 1:16 pm, huican <[email protected]> wrote: > Hello, > > I have a openldap 2.2.5 running. The openldap is configed with > slapd.conf (part): > ========== > sasl-secprops none > sasl-host iclab062.ic.acme.com > sasl-realm IC.ACME.COM > loglevel 4 > > TLSCACertificateFile /tmp/acme_demo_cert_ca.crt > TLSCertificateFile /tmp/acme_demo_cert.crt > TLSCertificateKeyFile /tmp/acme_demo_key.key > > I used the ldapsearch from mozilla ldap c-sdk doing sasl GSSAPI, it > worked no problem: > ./ldapsearch -v -h 10.230.34.88 -3 -p 9001 -o "mech=GSSAPI" -b > "ou=People,o=Intel" '(objectclass=*)' > > Now, I tried to add ldap search over ssl layer, it always failed: > > 1:) I had the cert and key store generated at:>ls /tmp/ldapdatabase1/ > > total 120 > 4 ./ 20 ../ 64 cert8.db 16 key3.db 16 secmod.db > > ==================== > FYI, I used the tool from library to generated the db and certutil > listed "acme-demo", so the db seems good. > > ldapcsdk_6.0.4-1/mozilla_ldap/security/nss/cmd/modutil/ > Linux2.6_x86_64_glibc_PTH_64_OPT.OBJ/modutil -create -dbdir /tmp/ > ldapdatabase1/ > openssl pkcs12 -export -in /tmp/acme_demo_cert.crt -inkey /tmp/ > acme_demo_key.key -CAfile /tmp/acme_demo_cert_ca.crt -out > acme_demo.pk12 -name \"acme-demo\" > ldapcsdk_6.0.4-1/mozilla_ldap/security/nss/cmd/pk12util/ > Linux2.6_x86_64_glibc_PTH_64_OPT.OBJ/pk12util -i acme_demo.pk12 -d / > tmp/ldapdatabase1/ > ldapcsdk_6.0.4-1/mozilla_ldap/security/nss/cmd/certutil/ > Linux2.6_x86_64_glibc_PTH_64_OPT.OBJ/certutil -L -d /tmp/ > ldapdatabase1/ > > 2:) do ssl connection to ldap server like below (I just add -K and -P - > Z options more than above): > ===== > ./ldapsearch -v -h 10.230.34.88 -3 -p 9001 -o "mech=GSSAPI" -b > "ou=People,o=Intel" -K /tmp/ldapdatabase1/key3.db -P /tmp/ > ldapdatabase1/cert8.db -Z '(objectclass=*)' > > I got: > ldapsearch: started Tue Feb 16 13:05:58 2010 > ldap_init( 10.230.34.88, 9001 ) > Bind Error: Can't contact LDAP server > > On the openldap server side: > connection_get(9): got connid=2 > connection_read(9): checking for input on id=2 > ber_get_next > ber_get_next: tag 0x80 len 52 contents: > ber_get_next on fd 9 failed errno=0 (Success) > connection_read(9): input error=-2 id=2, closing. > connection_closing: readying conn=2 sd=9 for close > connection_close: conn=2 sd=9 > > If I use ldapsearch from openldap, ssl connection worked well. But > there is something wrong with my mozilla ldapsearch. > > Did anyone have ever ssl connected to openldap before? > Is my slapd.conf for the ssl connection config fine? > Is there anything obvious wrong in my setup? > I have no too much clue about it now, Can anyone help me solve this > problem?
Problem solved. Basically it is my configuration issue. ''-Z" option is for "make an SSL-encrypted connection", so I need to start slapd with -h "ldap://0.0.0.0:9001 ldaps:///" which takes ssl connection directory. Also I saw "(Peer's certificate issuer has been marked as not trusted by the user)" message later which means I need to Insert the CA certificate to the new database with command: $ certutil -A -n "test CA" -t "C,C,C" -i ./cacert.der -d yourDir # To make sure iist the certificates in the db: It should show you the CA and also other certs. $ ./certutil -L -d ./ssl ===== ./ldapsearch -v -h 10.230.34.88 -p 9001 -b "sn=admin,ou=People,o=Acme" -K /tmp/key3.db -P /tmp/cert8.db -ZZ '(objectclass=*)' ldapsearch: started Tue Feb 16 15:48:54 2010 ldap_init( 10.230.34.88, 9001 ) filter pattern: (objectclass=*) returning: ALL filter is: (objectclass=*) version: 1 dn: sn=admin,ou=People,o=Acme objectClass: top objectClass: person objectClass: organizationalPerson userPassword: {SSHA}lfL5vM4TuOUkJnuyY7DbV82EQJoaTMYf cn: Administrator sn: admin 1 matches _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
