openldap and tls

Thu, 14 Feb 2008 01:36:34 -0800 

Hello,
I'm still having issues with tls, getting a openldap 2.4 client and server to talk tls to each other. If anyone has a sanitized working configuration i'd like to see it. I'm starting to wonder if i have to apply any security settings? I'm getting the below with tls now. 
   Thanks.
Dave.

#/usr/local/libexec/slapd -d 5 -h ldap://0.0.0.0
@(#) $OpenLDAP: slapd 2.4.7 (Jan 20 2008 00:56:58) $
[EMAIL PROTECTED]:/var/ports/basejail/usr/ports/net/openldap24-server/work/openldap-2.4.7/servers/slapdldap_pvt_gethostbyname_a: host=ldap, r=0daemon_init: 
ldap://0.0.0.0daemon_init: listen on ldap://0.0.0.0daemon_init: 1 listeners to open...ldap_url_parse_ext(ldap://0.0.0.0)daemon: listener initialized 
ldap://0.0.0.0daemon_init: 1 listeners openedldap_createslapd init: initiated server.bdb_back_initialize: initialize BDB backendbdb_back_initialize: Berkeley DB 
4.6.21: (September 27, 2007)bdb_db_init: Initializing BDB database>>> dnPrettyNormal: <dc=davemehler,dc=com>=> 
ldap_bv2dn(dc=davemehler,dc=com,0)<= ldap_bv2dn(dc=davemehler,dc=com)=0=> ldap_dn2bv(272)<= ldap_dn2bv(dc=davemehler,dc=com)=0=> 
ldap_dn2bv(272)<= ldap_dn2bv(dc=davemehler,dc=com)=0<<< dnPrettyNormal: <dc=davemehler,dc=com>, <dc=davemehler,dc=com>>>> 
dnPrettyNormal: <cn=Manager,dc=davemehler,dc=com>=> ldap_bv2dn(cn=Manager,dc=davemehler,dc=com,0)<= 
ldap_bv2dn(cn=Manager,dc=davemehler,dc=com)=0=> ldap_dn2bv(272)<= l!
dap_dn2bv(cn=Manager,dc=davemehler,dc=com)=0=> ldap_dn2bv(272)<= ldap_dn2bv(cn=manager,dc=davemehler,dc=com)=0<<< dnPrettyNormal: 
<cn=Manager,dc=davemehler,dc=com>,<cn=manager,dc=davemehler,dc=com>>>> dnNormalize: <cn=Subschema>=> 
ldap_bv2dn(cn=Subschema,0)<= ldap_bv2dn(cn=Subschema)=0=> ldap_dn2bv(272)<= ldap_dn2bv(cn=subschema)=0<<< dnNormalize: 
<cn=subschema>matching_rule_use_init    1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: (1.2.840.113556.1.4.804 NAME 
'integerBitOrMatch' APPLIES (supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $mailPreferenceOption $ shadowLastChange $ shadowMin $ 
shadowMax $shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ipProtocolNumber $ oncRpcNumber ) )    1.2.840.113556.1.4.803 
(integerBitAndMatch): matchingRuleUse: (1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES (supportedLDAPVersion $ entryTtl $ uidNumber $ 
gidNumber $mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax !
$shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServic

ePort $ipProtocolNumber $ oncRpcNumber ) )    1.3.6.1.4.1.1466.109.114.2 
(caseIgnoreIA5Match): matchingRuleUse: (1.3.6.1.4.1.1466.109.114.2 NAME 
'caseIgnoreIA5Match' APPLIES ( altServer $ c$ mail $ dc $ associatedDomain $ 
email $ aRecord $ mDRecord $ mXRecord $nSRecord $ sOARecord $ cNAMERecord $ 
janetMailbox $ gecos $ homeDirectory $loginShell $ memberUid $ 
memberNisNetgroup $ ipHostNumber $ ipNetworkNumber$ ipNetmaskNumber $ 
macAddress $ bootFile $ nisMapEntry $ mailbox $ quota $maildrop $ mailsource $ 
virtualdomain $ virtualdomainuser $ defaultdelivery$ disableimap $ disablepop3 
$ disablewebmail $ sharedgroup $ disableshared $mailhost ) )    
1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: 
(1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $ c$ 
mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $nSRecord 
$ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $loginShell $ 
memberUid $ memberNisNetgroup $ ipH!
ostNumber $ ipNetworkNumber$ ipNetmaskNumber $ macAddress $ bootFile $ 
nisMapEntry $ mailbox $ quota $maildrop $ mailsource $ virtualdomain $ 
virtualdomainuser $ defaultdelivery$ disableimap $ disablepop3 $ disablewebmail 
$ sharedgroup $ disableshared $mailhost ) )    2.5.13.35 (certificateMatch):    
 2.5.13.34 (certificateExactMatch):matchingRuleUse: ( 2.5.13.34 NAME 
'certificateExactMatch' APPLIES (userCertificate $ cACertificate ) )    
2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: (2.5.13.30 
NAME 'objectIdentifierFirstComponentMatch' APPLIES (supportedControl $ 
supportedExtension $ supportedFeatures $ ldapSyntaxes 
$supportedApplicationContext ) )    2.5.13.29 (integerFirstComponentMatch): 
matchingRuleUse: ( 2.5.13.29NAME 'integerFirstComponentMatch' APPLIES ( 
supportedLDAPVersion $ entryTtl$ uidNumber $ gidNumber $ mailPreferenceOption $ 
shadowLastChange $shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ 
shadowExpire $shadowFlag $ ipServicePort!
 $ ipProtocolNumber $ oncRpcNumber ) )    2.5.13.27 (generalizedTimeMa

tch): matchingRuleUse: ( 2.5.13.27 NAME'generalizedTimeMatch' APPLIES ( 
createTimestamp $ modifyTimestamp ) )    2.5.13.24 (protocolInformationMatch): 
matchingRuleUse: ( 2.5.13.24 NAME'protocolInformationMatch' APPLIES 
protocolInformation )    2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 
2.5.13.23 NAME'uniqueMemberMatch' APPLIES uniqueMember )    2.5.13.22 
(presentationAddressMatch): matchingRuleUse: ( 2.5.13.22 
NAME'presentationAddressMatch' APPLIES presentationAddress )    2.5.13.20 
(telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME'telephoneNumberMatch' 
APPLIES ( telephoneNumber $ homePhone $ mobile $pager ) )    2.5.13.17 
(octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME'octetStringMatch' APPLIES 
( userPassword $ clearPassword ) )    2.5.13.16 (bitStringMatch): 
matchingRuleUse: ( 2.5.13.16 NAME'bitStringMatch' APPLIES x500UniqueIdentifier 
)    2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME'integerMatch' 
APPLIES ( supportedLDAPVersion $ entryT!
tl $ uidNumber $gidNumber $ mailPreferenceOption $ shadowLastChange $ shadowMin 
$ shadowMax$ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ 
ipServicePort$ ipProtocolNumber $ oncRpcNumber ) )    2.5.13.13 (booleanMatch): 
matchingRuleUse: ( 2.5.13.13 NAME'booleanMatch' APPLIES hasSubordinates )    
2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 
NAME'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress 
$homePostalAddress ) )    2.5.13.8 (numericStringMatch): matchingRuleUse: ( 
2.5.13.8 NAME'numericStringMatch' APPLIES ( x121Address $ 
internationaliSDNNumber ) )    2.5.13.7 (caseExactSubstringsMatch): 
matchingRuleUse: ( 2.5.13.7 NAME'caseExactSubstringsMatch' APPLIES ( 
serialNumber $ destinationIndicator $dnQualifier ) )    2.5.13.6 
(caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 
NAME'caseExactOrderingMatch' APPLIES ( serialNumber $ destinationIndicator 
$dnQualifier ) )    2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 
NAME'!
caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $vendor

Version $ ref $ name $ cn $ uid $ labeledURI $ description 
$knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $title 
$ businessCategory $ postalCode $ postOfficeBox $physicalDeliveryOfficeName $ 
destinationIndicator $ givenName $ initials $generationQualifier $ dnQualifier 
$ houseIdentifier $ dmdName $ pseudonym $textEncodedORAddress $ info $ drink $ 
roomNumber $ userClass $ host $documentIdentifier $ documentTitle $ 
documentVersion $ documentLocation $personalTitle $ co $ uniqueIdentifier $ 
organizationalStatus $ buildingName$ documentPublisher $ ipServiceProtocol $ 
nisMapName $ carLicense $departmentNumber $ displayName $ employeeNumber $ 
employeeType $preferredLanguage ) )    2.5.13.4 (caseIgnoreSubstringsMatch): 
matchingRuleUse: ( 2.5.13.4 NAME'caseIgnoreSubstringsMatch' APPLIES ( 
serialNumber $ destinationIndicator $dnQualifier ) )    2.5.13.3 
(caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 
NAME'caseIgnoreOrderingMatch' APPLIES ( serialNumbe!
r $ destinationIndicator $dnQualifier ) )    2.5.13.2 (caseIgnoreMatch): 
matchingRuleUse: ( 2.5.13.2 NAME'caseIgnoreMatch' APPLIES ( 
supportedSASLMechanisms $ vendorName $vendorVersion $ ref $ name $ cn $ uid $ 
labeledURI $ description $knowledgeInformation $ sn $ serialNumber $ c $ l $ st 
$ street $ o $ ou $title $ businessCategory $ postalCode $ postOfficeBox 
$physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials 
$generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym 
$textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host 
$documentIdentifier $ documentTitle $ documentVersion $ documentLocation 
$personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName$ 
documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense 
$departmentNumber $ displayName $ employeeNumber $ employeeType 
$preferredLanguage ) )    1.2.36.79672281.1.13.3 (rdnMatch):     
2.5.13.1(distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 !
NAME'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $s

ubschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $dynamicSubtrees $ distinguishedName $ seeAlso $ member $ owner $roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $dITRedirect ) )    
2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $supportedFeatures $ supportedApplicationContext ) )slapd startup: 
initiated.backend_startup_one: starting "cn=config"config_back_db_openconfig_build_entry: "cn=config"config_build_entry: "cn=module{0}"config_build_entry: 
"cn=schema"config_build_entry: "cn={0}core"config_build_entry: "cn={1}cosine"config_build_entry: "cn={2}nis"config_build_entry: "cn={3}inetorgperson"config_build_entry: 
"cn={4}authldap"config_build_entry: "olcDatabase={-1}frontend"config_build_entry: "olcDatabase={0}config"config_build_entry: "olcDatabase={1}bdb"backend_startup_one: starting 
"dc=davemehler,dc=com"bdb_db_open: "dc=davemehler,dc=com"bdb_db_ope!
n: warning - no DB_CONFIG file found in directory/var/db/openldap-data: (2).Expect poor performance for 
suffix "dc=davemehler,dc=com".bdb_db_open: database 
"dc=davemehler,dc=com":dbenv_open(/var/db/openldap-data).slapd 
startingslap_listener_activate(6):>>> 
slap_listener(ldap://0.0.0.0)connection_get(10)connection_get(10): got connid=0connection_read(10): checking 
for input on id=0ber_get_nextber_get_next: tag 0x30 len 29 contents:ber_get_nextconn=0 op=0 
do_extendedber_scanf fmt ({m) ber:do_extended: oid=1.3.6.1.4.1.1466.20037send_ldap_extended: err=0 oid= 
len=0send_ldap_response: msgid=1 tag=120 err=0ber_flush2: 14 bytes to sd 
10connection_get(10)connection_get(10): got connid=0connection_read(10): checking for input on id=0TLS 
trace: SSL_accept:before/accept initializationTLS trace: SSL_accept:SSLv3 read client hello ATLS trace: 
SSL_accept:SSLv3 write server hello ATLS trace: SSL_accept:SSLv3 write certificate ATLS trace: 
SSL_accept:SSLv3 write certificate request ATLS tra!
ce: SSL_accept:SSLv3 flush dataTLS trace: SSL_accept:error in SSLv3 re

ad client certificate ATLS trace: SSL_accept:error in SSLv3 read client 
certificate Aconnection_get(10)connection_get(10): got 
connid=0connection_read(10): checking for input on id=0TLS trace: SSL3 alert 
write:fatal:handshake failureTLS trace: SSL_accept:error in SSLv3 read client 
certificate BTLS: can't accept.TLS: error:140890C7:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did notreturn a certificate 
s3_srvr.c:2514connection_read(10): TLS accept failure error=-1 id=0, 
closingconnection_closing: readying conn=0 sd=10 for closeconnection_close: conn=0 
sd=10^Cdaemon: shutdown requested and initiated.slapd shutdown: waiting for 0 
threads to terminateslapd shutdown: initiated====> bdb_cache_release_allslapd 
destroy: freeing system resources.slapd stopped.

Reply via email to