2013/2/14 "Y. Curz Zuñiga" <[email protected]>: > As I can enable debugging for errors, here are the settings I use for the AD > and the output of the command openssl s_client-connect. With this > configuration the only thing I rechasa passwords, any idea? > > # LDAP > $ldap_url = "ldap://10.14.2.1 ldap://10.14.2.2";; > $ldap_binddn = "CN=Administrador SUM > Lajas,OU=Admin,OU=SUMLJ,OU=ucf,DC=ucf,DC=edu,DC=cu"; > $ldap_bindpw = "Langer bay-9003"; > $ldap_base = "dc=ucf,dc=edu,dc=cu"; > $ldap_login_attribute = "uid"; > $ldap_fullname_attribute = "cn"; > $ldap_filter = > "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"; > > # Active Directory mode > # true: use unicodePwd as password field > # false: LDAPv3 standard behavior > $ad_mode = true; > > > root@Herus:/home/yaisel# openssl s_client -connect ucf.edu.cu:636 > CONNECTED(00000003) > depth=1 /DC=cu/DC=edu/DC=ucf/CN=ucf-pegasus > verify error:num=20:unable to get local issuer certificate > verify return:0 > --- > Certificate chain > 0 s:/CN=ucf-sd02.ucf.edu.cu > i:/DC=cu/DC=edu/DC=ucf/CN=ucf-pegasus > 1 s:/DC=cu/DC=edu/DC=ucf/CN=ucf-pegasus > i:/DC=cu/DC=edu/DC=ucf/CN=UCFCert > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIFSzCCBLSgAwIBAgIKGMkhtQAAAAAABDANBgkqhkiG9w0BAQUFADBUMRIwEAYK > CZImiZPyLGQBGRYCY3UxEzARBgoJkiaJk/IsZAEZFgNlZHUxEzARBgoJkiaJk/Is > ZAEZFgN1Y2YxFDASBgNVBAMTC3VjZi1wZWdhc3VzMB4XDTEyMTAwOTA2MTIyNVoX > DTEzMTAwOTA2MTIyNVowHjEcMBoGA1UEAxMTdWNmLXNkMDIudWNmLmVkdS5jdTCB > nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxalsQEBpdm8tPT2KO8tkCcmHDMkH > NXeHoqpqRbLUOVd50au5kZPYg31rlMNWMk+8zw7S/SgpAIohJLktIz9Ow22YWWNm > /jzK1CxTDhBXNnpO+ZLARvV66kRL4zGa5J0e2dJc82TFEJ0mJ9Qb6cLDdXBda+wz > 0Eae3gyyblZ/vvkCAwEAAaOCA1gwggNUMAsGA1UdDwQEAwIFoDBEBgkqhkiG9w0B > CQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcw > CgYIKoZIhvcNAwcwHQYDVR0OBBYEFLTmUasr2gokRp0XK4wb85Ae4Yw3MC8GCSsG > AQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAfBgNV > HSMEGDAWgBQt9pQALEvDdBRMmeYExSFQD7CS5zCCAQoGA1UdHwSCAQEwgf4wgfug > gfiggfWGgbhsZGFwOi8vL0NOPXVjZi1wZWdhc3VzLENOPXVjZi1wZWdhc3VzLENO > PUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D > b25maWd1cmF0aW9uLERDPXVjZixEQz1lZHUsREM9Y3U/Y2VydGlmaWNhdGVSZXZv > Y2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50 > hjhodHRwOi8vdWNmLXBlZ2FzdXMudWNmLmVkdS5jdS9DZXJ0RW5yb2xsL3VjZi1w > ZWdhc3VzLmNybDCCAR4GCCsGAQUFBwEBBIIBEDCCAQwwgawGCCsGAQUFBzAChoGf > bGRhcDovLy9DTj11Y2YtcGVnYXN1cyxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIw > U2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz11Y2YsREM9 > ZWR1LERDPWN1P2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZp > Y2F0aW9uQXV0aG9yaXR5MFsGCCsGAQUFBzAChk9odHRwOi8vdWNmLXBlZ2FzdXMu > dWNmLmVkdS5jdS9DZXJ0RW5yb2xsL3VjZi1wZWdhc3VzLnVjZi5lZHUuY3VfdWNm > LXBlZ2FzdXMuY3J0MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATA/BgNV > HREEODA2oB8GCSsGAQQBgjcZAaASBBCxmn5i3CIGSb0adpAOpw65ghN1Y2Ytc2Qw > Mi51Y2YuZWR1LmN1MA0GCSqGSIb3DQEBBQUAA4GBAF0SOQQ3YYQrTAU/wCn9WIWV > vgdzaEzY/f2dNRXLLm26xB2Y7rRxY/LnKTPHBfQG8OmddWVBl1XJNsJGvH/qAzE1 > zeegnJGBOnQfM8ZuRWxDVGu4Wg+NMaY2yARr2amwoCOGqRFD+MChvofac3j/ACAM > +bWcyiQbvGr5NZpQpW9x > -----END CERTIFICATE----- > subject=/CN=ucf-sd02.ucf.edu.cu > issuer=/DC=cu/DC=edu/DC=ucf/CN=ucf-pegasus > --- > Acceptable client certificate CA names > /CN=ucf-sd02.ucf.edu.cu > /DC=cu/DC=edu/DC=ucf/CN=UCFCert > /DC=cu/DC=edu/DC=ucf/CN=ucf > /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - > G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust > Network > /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - > G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust > Network > /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification > Services Division/CN=Thawte Personal Freemail > CA/[email protected] > /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification > Services Division/CN=Thawte Personal Premium > CA/[email protected] > /C=US/O=First Data Digital Certificates Inc./CN=First Data Digital > Certificates Inc. Certification Authority > /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification > Services Division/CN=Thawte Personal Basic > CA/[email protected] > /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority > /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority > /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority > /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - > G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust > Network > /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi > Kft./OU=Tanusitvanykiadok/CN=NetLock Uzleti (Class B) Tanusitvanykiado > /C=US/O=GTE Corporation/CN=GTE CyberTrust Root > /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust > Global Root > /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits > liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server > Certification Authority > /C=HU/ST=Hungary/L=Budapest/O=NetLock Halozatbiztonsagi > Kft./OU=Tanusitvanykiadok/CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado > /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - > G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust > Network > /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust > Root > /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi > Kft./OU=Tanusitvanykiadok/CN=NetLock Expressz (Class C) Tanusitvanykiado > /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft > Root Authority > /CN=\x00E\x00S\x00E\x00T\x00_\x00R\x00o\x00o\x00t\x00S\x00s\x00l\x00C\x00e\x00r\x00t/O=ESET, > spol. s r. o./C=SK > /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority > --- > SSL handshake has read 6236 bytes and written 315 bytes > --- > New, TLSv1/SSLv3, Cipher is RC4-MD5 > Server public key is 1024 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : RC4-MD5 > Session-ID: > E7110000E7D0B7BB565C2C242D7B7500A6CF6F3A2DCB29C5E700EC06C5760EA3 > Session-ID-ctx: > Master-Key: > EBEC283EF2610C26003203B13271EF08162D65EF4EFCA727480CCFF053078A0EDE8D033BF7539CE3710CCC34B014F799 > Key-Arg : None > Start Time: 1360847046 > Timeout : 300 (sec) > Verify return code: 20 (unable to get local issuer certificate)
Use ldaps:// instead of ldap:// to use LDAPS... Clément. _______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
