Hello, Hm, using debian etch 64b - maybe a 64b story ? For now, I just cannot manage to make it work - errors have changed, but still no way to connect to the server -.-.
I'll post tomorrow the new config and its error messages. Thank you for those who tried to help me. Regards, C. On Wed, Jul 7, 2010 at 9:40 PM, Bryan Boone <[email protected]> wrote: > Hi Cedric. I have the same problems. I am using Opensuse 11.2 64-bit > edition. Other people have the same problem. I think this must be a bug in > opensuse anyway. I wonder if you are experiencing the same issue. I > switched over to SLES 10 and I don't have any problems. > > ________________________________ > From: Cedric Jeanneret <[email protected]> > To: [email protected] > Sent: Wed, July 7, 2010 3:17:27 AM > Subject: TLS problem > > Hello, > > I'm trying to configure an openldap with TLS so that all connections are > encrypted. > > Here's the revelent part of my slapd.conf: > > TLSCipherSuite HIGH:MEDIUM:+SSLv3 > TLSVerifyClient never > TLSCertificateFile /etc/ldap/ssl/server.crt > TLSCertificateKeyFile /etc/ldap/ssl/server.key > > Here's my ldap.conf: > > URI ldaps://my.server.ltd > BASE dc=my,dc=server,dc=ltd > LDAP_VERSION 3 > > #SIZELIMIT 12 > #TIMELIMIT 15 > #DEREF never > ssl start_tls > ssl on > TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3 > > > While starting slapd with: > slapd -h 'ldaps:///' -g openldap -u openldap -d 16383 > > and trying to connect to it with: > ldapsearch -Z -d 16383 -LLL -b cn=admin,dc=my,dc=server,dc=ltd -w "foo.bar" > -S cn -h my.server.ltd -p 636 cn > > I have these logs : > [slapd] > > daemon: activity on 1 descriptor >>>> slap_listener(ldaps:///)daemon: listen=7, new connection on 11 > ldap_pvt_gethostbyname_a: host=my, r=0 > daemon: added 11r (active) listener=(nil) > conn=0 fd=11 ACCEPT from IP=xx.yy.zz.aa:38806 (IP=0.0.0.0:636) > daemon: select: listen=6 active_threads=0 tvp=NULL > daemon: select: listen=7 active_threads=0 tvp=NULL > daemon: activity on 1 descriptor > daemon: activity on: 11r > daemon: read activity on 11 > connection_get(11) > connection_get(11): got connid=0 > connection_read(11): checking for input on id=0 > TLS trace: SSL_accept:before/accept initialization > tls_read: want=11, got=11 > 0000: 30 3e 02 01 01 63 39 04 00 0a 01 0>...c9.... > TLS trace: SSL_accept:error in SSLv2/v3 read client hello A > TLS: can't accept. > TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol > s23_srvr.c:562 > connection_read(11): TLS accept failure error=-1 id=0, closing > connection_closing: readying conn=0 sd=11 for close > connection_close: conn=0 sd=11 > daemon: removing 11 > conn=0 fd=11 closed (TLS negotiation failure) > daemon: select: listen=6 active_threads=0 tvp=NULL > daemon: select: listen=7 active_threads=0 tvp=NULL > daemon: activity on 1 descriptor > daemon: waked > daemon: select: listen=6 active_threads=0 tvp=NULL > daemon: select: listen=7 active_threads=0 tvp=NULL > > [ldapsearch] > > ldap_create > ldap_url_parse_ext(ldap://my.server.ltd:636) > ldap_pvt_sasl_getmech > ldap_search > put_filter: "(objectclass=*)" > put_filter: simple > put_simple_filter: "objectclass=*" > ldap_build_search_req ATTRS: supportedSASLMechanisms > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP my.server.ltd:636 > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying xx.yy.zz.aa:636 > ldap_pvt_connect: fd: 3 tm: -1 async: 0 > ldap_open_defconn: successful > ldap_send_server_request > ber_scanf fmt ({it) ber: > ber_dump: buf=0xb92b6d68 ptr=0xb92b6d68 end=0xb92b6da8 len=64 > 0000: 30 3e 02 01 01 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9......... > 0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object > 0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support > 0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms > ber_scanf fmt ({) ber: > ber_dump: buf=0xb92b6d68 ptr=0xb92b6d6d end=0xb92b6da8 len=59 > 0000: 63 39 04 00 0a 01 00 0a 01 00 02 01 00 02 01 00 c9.............. > 0010: 01 01 00 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 .....objectclass > 0020: 30 19 04 17 73 75 70 70 6f 72 74 65 64 53 41 53 0...supportedSAS > 0030: 4c 4d 65 63 68 61 6e 69 73 6d 73 LMechanisms > ber_flush2: 64 bytes to sd 3 > 0000: 30 3e 02 01 01 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9......... > 0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object > 0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support > 0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms > ldap_write: want=64, written=64 > 0000: 30 3e 02 01 01 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9......... > 0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object > 0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support > 0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms > ldap_result ld 0xb92ae158 msgid 1 > wait4msg ld 0xb92ae158 msgid 1 (infinite timeout) > wait4msg continue ld 0xb92ae158 msgid 1 all 1 > ** ld 0xb92ae158 Connections: > * host: my.server.ltd port: 636 (default) > refcnt: 2 status: Connected > last used: Wed Jul 7 12:11:03 2010 > > > ** ld 0xb92ae158 Outstanding Requests: > * msgid 1, origid 1, status InProgress > outstanding referrals 0, parent count 0 > ld 0xb92ae158 request count 1 (abandoned 0) > ** ld 0xb92ae158 Response Queue: > Empty > ld 0xb92ae158 response count 0 > ldap_chkResponseList ld 0xb92ae158 msgid 1 all 1 > ldap_chkResponseList returns ld 0xb92ae158 NULL > ldap_int_select > read1msg: ld 0xb92ae158 msgid 1 all 1 > ber_get_next > ldap_read: want=8, got=0 > > ber_get_next failed. > ldap_err2string > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) > > I really don't know what to do. My certificates are correct I guess, as > we're using them in apache for https... For information, they are > self-signed. > > Any help would be great. > > Thank you! > > Best regards, > > C. > > > -- > Cédric Jeanneret | System Administrator > 021 619 10 32 | Camptocamp SA > [email protected] | PSE-A / EPFL > >
