As I can enable debugging for errors, here are the settings I use for
the AD and the output of the command openssl s_client-connect. With this
configuration the only thing I rechasa passwords, any idea?
# LDAP
$ldap_url = "ldap://10.14.2.1 ldap://10.14.2.2";;
$ldap_binddn = "CN=Administrador SUM
Lajas,OU=Admin,OU=SUMLJ,OU=ucf,DC=ucf,DC=edu,DC=cu";
$ldap_bindpw = "Langer bay-9003";
$ldap_base = "dc=ucf,dc=edu,dc=cu";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter =
"(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
$ad_mode = true;
root@Herus:/home/yaisel# openssl s_client -connect ucf.edu.cu:636
CONNECTED(00000003)
depth=1 /DC=cu/DC=edu/DC=ucf/CN=ucf-pegasus
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=ucf-sd02.ucf.edu.cu
i:/DC=cu/DC=edu/DC=ucf/CN=ucf-pegasus
1 s:/DC=cu/DC=edu/DC=ucf/CN=ucf-pegasus
i:/DC=cu/DC=edu/DC=ucf/CN=UCFCert
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFSzCCBLSgAwIBAgIKGMkhtQAAAAAABDANBgkqhkiG9w0BAQUFADBUMRIwEAYK
CZImiZPyLGQBGRYCY3UxEzARBgoJkiaJk/IsZAEZFgNlZHUxEzARBgoJkiaJk/Is
ZAEZFgN1Y2YxFDASBgNVBAMTC3VjZi1wZWdhc3VzMB4XDTEyMTAwOTA2MTIyNVoX
DTEzMTAwOTA2MTIyNVowHjEcMBoGA1UEAxMTdWNmLXNkMDIudWNmLmVkdS5jdTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxalsQEBpdm8tPT2KO8tkCcmHDMkH
NXeHoqpqRbLUOVd50au5kZPYg31rlMNWMk+8zw7S/SgpAIohJLktIz9Ow22YWWNm
/jzK1CxTDhBXNnpO+ZLARvV66kRL4zGa5J0e2dJc82TFEJ0mJ9Qb6cLDdXBda+wz
0Eae3gyyblZ/vvkCAwEAAaOCA1gwggNUMAsGA1UdDwQEAwIFoDBEBgkqhkiG9w0B
CQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcw
CgYIKoZIhvcNAwcwHQYDVR0OBBYEFLTmUasr2gokRp0XK4wb85Ae4Yw3MC8GCSsG
AQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAfBgNV
HSMEGDAWgBQt9pQALEvDdBRMmeYExSFQD7CS5zCCAQoGA1UdHwSCAQEwgf4wgfug
gfiggfWGgbhsZGFwOi8vL0NOPXVjZi1wZWdhc3VzLENOPXVjZi1wZWdhc3VzLENO
PUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D
b25maWd1cmF0aW9uLERDPXVjZixEQz1lZHUsREM9Y3U/Y2VydGlmaWNhdGVSZXZv
Y2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50
hjhodHRwOi8vdWNmLXBlZ2FzdXMudWNmLmVkdS5jdS9DZXJ0RW5yb2xsL3VjZi1w
ZWdhc3VzLmNybDCCAR4GCCsGAQUFBwEBBIIBEDCCAQwwgawGCCsGAQUFBzAChoGf
bGRhcDovLy9DTj11Y2YtcGVnYXN1cyxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIw
U2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz11Y2YsREM9
ZWR1LERDPWN1P2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZp
Y2F0aW9uQXV0aG9yaXR5MFsGCCsGAQUFBzAChk9odHRwOi8vdWNmLXBlZ2FzdXMu
dWNmLmVkdS5jdS9DZXJ0RW5yb2xsL3VjZi1wZWdhc3VzLnVjZi5lZHUuY3VfdWNm
LXBlZ2FzdXMuY3J0MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATA/BgNV
HREEODA2oB8GCSsGAQQBgjcZAaASBBCxmn5i3CIGSb0adpAOpw65ghN1Y2Ytc2Qw
Mi51Y2YuZWR1LmN1MA0GCSqGSIb3DQEBBQUAA4GBAF0SOQQ3YYQrTAU/wCn9WIWV
vgdzaEzY/f2dNRXLLm26xB2Y7rRxY/LnKTPHBfQG8OmddWVBl1XJNsJGvH/qAzE1
zeegnJGBOnQfM8ZuRWxDVGu4Wg+NMaY2yARr2amwoCOGqRFD+MChvofac3j/ACAM
+bWcyiQbvGr5NZpQpW9x
-----END CERTIFICATE-----
subject=/CN=ucf-sd02.ucf.edu.cu
issuer=/DC=cu/DC=edu/DC=ucf/CN=ucf-pegasus
---
Acceptable client certificate CA names
/CN=ucf-sd02.ucf.edu.cu
/DC=cu/DC=edu/DC=ucf/CN=UCFCert
/DC=cu/DC=edu/DC=ucf/CN=ucf
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
- G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign
Trust Network
/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority
- G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign
Trust Network
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Freemail
CA/[email protected]
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Premium
CA/[email protected]
/C=US/O=First Data Digital Certificates Inc./CN=First Data Digital
Certificates Inc. Certification Authority
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Basic
CA/[email protected]
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
- G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign
Trust Network
/C=HU/L=Budapest/O=NetLock Halozatbiztonsagi
Kft./OU=Tanusitvanykiadok/CN=NetLock Uzleti (Class B) Tanusitvanykiado
/C=US/O=GTE Corporation/CN=GTE CyberTrust Root
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
CyberTrust Global Root
/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
Certification Authority
/C=HU/ST=Hungary/L=Budapest/O=NetLock Halozatbiztonsagi
Kft./OU=Tanusitvanykiadok/CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
- G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign
Trust Network
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
CyberTrust Root
/C=HU/L=Budapest/O=NetLock Halozatbiztonsagi
Kft./OU=Tanusitvanykiadok/CN=NetLock Expressz (Class C) Tanusitvanykiado
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft
Corporation/CN=Microsoft Root Authority
/CN=\x00E\x00S\x00E\x00T\x00_\x00R\x00o\x00o\x00t\x00S\x00s\x00l\x00C\x00e\x00r\x00t/O=ESET,
spol. s r. o./C=SK
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
---
SSL handshake has read 6236 bytes and written 315 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
E7110000E7D0B7BB565C2C242D7B7500A6CF6F3A2DCB29C5E700EC06C5760EA3
Session-ID-ctx:
Master-Key:
EBEC283EF2610C26003203B13271EF08162D65EF4EFCA727480CCFF053078A0EDE8D033BF7539CE3710CCC34B014F799
Key-Arg : None
Start Time: 1360847046
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Tec. Yaisel Cruz Zuñiga
Admin. Fum lajas
[email protected]
Telf. (043)-579717
Ubuntu User #35281
El 14/02/13 03:38, Clément OUDOT escribió:
First, you can activate debug in SSP to get the full LDAP error.
Then , try to use openssl s_client command to check AD certificate:
openssl s_client -connect ad.example.com:636
---
Consulte la Enciclopedia Colaborativa Cubana
http://www.ecured.cu/
_______________________________________________
ltb-users mailing list
[email protected]
http://lists.ltb-project.org/listinfo/ltb-users
