Dieter Kluenter schrieb:
> Quanah Gibson-Mount <[EMAIL PROTECTED]> writes:
>
>> --On Wednesday, August 23, 2006 8:18 PM +0200 Karsten Römke
>> <[EMAIL PROTECTED]> wrote:
>>
>>> ok, t would be nice if it is a configuration problem
>>> I have tried the openssl -s_client.
>>> openssl s_client -connect oracle.hhb.bonn.de:636 -showcerts
>>> CONNECTED(00000003)
>>> 8907:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
>>> handshake failure:s23_clnt.c:465:
>>>
>>> and here is a part of slapd.conf
>>> TLSCACertificateFile /etc/openldap/cacert.pem
>>> TLSCertificateFile /etc/openldap/servercrt.pem
>>> TLSCertificateKeyFile /etc/openldap/serverkey.pem
>>>
>>> # loglevel 1
>>>
>>> and the ldap.conf
>>> tls_cacert /etc/openldap/cacert.pem
>>> nss_base_passwd ou=People,dc=hhb,dc=bonn,dc=de
>>> nss_base_shadow ou=People,dc=hhb,dc=bonn,dc=de
>>> nss_base_group ou=Groups,dc=hhb,dc=bonn,dc=de
>>> host 10.100.0.202
>>> base dc=hhb,dc=bonn,dc=de
>>> ldap_version 3
>>> ssl start_tls
>>> pam_password crypt
>> These do not look like valid parameters to ldap.conf(5) for OpenLDAP.
>> I'm guessing these are the parameters for PAM's ldap.conf. You need
>> to properly configure the appropriate ldap.conf for openldap and PAM
>> separately. I'm guessing you currently have PAM configuration lines
>> in the ldap.conf that would be used by ldapsearch, and nothing in the
>> ldap.conf that would be used by PAM. But maybe not, you don't note
>> the location of your ldap.conf file.
>
> In addition to Quanah's comments I would like to see a condensed
> output of 'openssl x509 -in servercert.pem -text'.
> The data of modules, signature algorithm and certificate are not
> required.
>
> -Dieter
Hello,
in the moment I do not really know what to do :-)
I appended the output from openssl ...
Should I start with a nearly empty ldap.conf on client side?
I use that one which is generated by yast, the suse
administration tool and without encryption this
file works.
Karsten
oracle:/etc/openldap # openssl x509 -in servercrt.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=DE, ST=NRW, L=Bonn, O=hhb, OU=it,
CN=oracle.hhb.bonn.de/[EMAIL PROTECTED]
Validity
Not Before: Aug 23 14:38:15 2006 GMT
Not After : Aug 18 14:38:15 2026 GMT
Subject: C=DE, ST=NRW, L=bonn, O=hhb, OU=it,
CN=oracle.hhb.bonn.de/[EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b2:7c:a9:5a:5b:3c:5a:98:7c:49:90:e1:ae:91:
13:19:0e:c5:5c:63:bb:0a:82:91:d8:a4:ab:df:14:
75:7d:25:23:03:f3:d6:d9:61:fe:cd:30:b3:4e:dc:
e2:3f:2a:d4:12:b7:9c:c7:3a:df:14:f5:31:95:f3:
92:93:db:b9:08:1d:00:d4:a3:71:92:d7:0f:68:e8:
3f:0b:f8:eb:2e:e7:51:61:41:a3:11:ee:8a:eb:a2:
5a:b1:9e:72:74:5e:ce:5a:d0:53:94:88:c6:f7:b5:
6c:74:a2:b1:b7:94:37:3e:d4:de:77:ff:a2:f7:a2:
36:e6:ec:45:9f:76:ae:91:7b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
1C:78:8F:7C:76:75:2A:8E:EE:DD:8A:C0:AA:A7:AE:96:D8:38:79:84
X509v3 Authority Key Identifier:
keyid:90:4F:E9:05:AA:38:FC:D9:21:45:B0:BD:A5:2E:B3:5B:E9:59:38:AF
DirName:/C=DE/ST=NRW/L=Bonn/O=hhb/OU=it/CN=oracle.hhb.bonn.de/[EMAIL PROTECTED]
serial:D0:87:6C:AB:B6:D0:11:9D
>
>
---
You are currently subscribed to [email protected] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
