Try to connect to ldaps://localhost:636 Cn must be localhost if that's configured in the certs, but... Are you sure that localhost should be the fqdn?
Il gio 2 gen 2020, 17:39 Dunne, Kenneth <[email protected]> ha scritto: > All > > > > I am able to connect to my home-built OpenSSL installation (from Dec-19 > sources) on CentOS-7 without the TLS bind. > > I am now trying to use OpenTLS with OpenSSL, which is not currently > working. From searching the internet I find this, > > Which indicates that maybe RH-based-unixes have unique issues with > OpenTLS/OpenLdap: > > > https://serverfault.com/questions/437546/centos-openldap-cert-trust-issues > > > > My slapd.conf now holds (as differs from the default installed slapd.conf) > > … snip… > > ############### TLS > > # added per http://www.openldap.org/faq/data/cache/185.html > > TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt > > TLSCertificateFile /usr/local/etc/openldap/servercrt.pem > > TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem > > TLSCipherSuite DES-CBC3-SHA > > … snip… > > > > And my ldap.conf holds: > > … snip… > > ############### TLS > > ############### TLS > > # added per http://www.openldap.org/faq/data/cache/185.html > > TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > > ### fails: > > ## TLS_CACERT /usr/local/etc/openldap/ cacert.pem > > > > URI ldaps://localhost:636 > > ############### TLS > > … snip… > > > > …. Having added the ‘cacert.pem’ into the file “ > /etc/pki/tls/certs/ca-bundle.crt” > > I get farther in the authentication than using “/usr/local/etc/openldap/ > cacert.pem”: > > > > [root@kdunne-dev openldap]# /usr/local/bin/ldapsearch -Z -D > "cn=Manager,dc=my-domain,dc=com" -d -1 > > ldap_create > > ldap_extended_operation_s > > ldap_extended_operation > > ldap_send_initial_request > > ldap_new_connection 1 1 0 > > ldap_int_open_connection > > ldap_connect_to_host: TCP localhost:636 > > ldap_new_socket: 3 > > ldap_prepare_socket: 3 > > ldap_connect_to_host: Trying ::1 636 > > ldap_pvt_connect: fd: 3 tm: -1 async: 0 > > attempting to connect: > > connect errno: 111 > > ldap_close_socket: 3 > > ldap_new_socket: 3 > > ldap_prepare_socket: 3 > > ldap_connect_to_host: Trying 127.0.0.1:636 > > ldap_pvt_connect: fd: 3 tm: -1 async: 0 > > attempting to connect: > > connect success > > TLS trace: SSL_connect:before/connect initialization > > tls_write: want=289, written=289 > > 0000: 16 03 01 01 1c 01 00 01 18 03 03 51 03 78 81 fc > ...........Q.x.. > > 0010: 66 89 9c 91 10 b6 e9 3d f1 12 66 27 c7 f5 80 e4 > f......=..f'.... > > 0020: fb f6 5f 9d f8 bb 37 3b 84 cb 17 00 00 ac c0 30 > .._...7;.......0 > > 0030: c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 > .,.(.$.......... > > 0040: 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 > ...k.j.i.h.9.8.7 > > 0050: 00 36 00 88 00 87 00 86 00 85 c0 32 c0 2e c0 2a > .6.........2...* > > 0060: c0 26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 2f > .&.......=.5.../ > > 0070: c0 2b c0 27 c0 23 c0 13 c0 09 00 a4 00 a2 00 a0 > .+.'.#.......... > > 0080: 00 9e 00 67 00 40 00 3f 00 3e 00 33 00 32 00 31 ...g.@.?.>.3.2.1 > > > 0090: 00 30 00 9a 00 99 00 98 00 97 00 45 00 44 00 43 > .0.........E.D.C > > 00a0: 00 42 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00 9c > .B.1.-.).%...... > > 00b0: 00 3c 00 2f 00 96 00 41 c0 12 c0 08 00 16 00 13 > .<./...A........ > > 00c0: 00 10 00 0d c0 0d c0 03 00 0a 00 07 c0 11 c0 07 > ................ > > 00d0: c0 0c c0 02 00 05 00 04 00 ff 01 00 00 43 00 0b > .............C.. > > 00e0: 00 04 03 00 01 02 00 0a 00 0a 00 08 00 17 00 19 > ................ > > 00f0: 00 18 00 16 00 23 00 00 00 0d 00 20 00 1e 06 01 .....#..... > .... > > 0100: 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 > ................ > > 0110: 03 01 03 02 03 03 02 01 02 02 02 03 00 0f 00 01 > ................ > > 0120: 01 > . > > TLS trace: SSL_connect:SSLv2/v3 write client hello A > > tls_read: want=7, got=0 > > > > TLS: can't connect: . > > ldap_err2string > > ldap_start_tls: Can't contact LDAP server (-1) > > ldap_sasl_bind > > ldap_send_initial_request > > ldap_send_server_request > > ldap_err2string > > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > > > > > > > Additionally: > > > > I am reading the FAQ http://www.openldap.org/faq/data/cache/185.html to > generate the certs > > but am wondering if I am correctly understanding the instruction “Remember > that the Common Name for this cert should be the fully qualified domain > name of the server:” > > If I run my ldap server as: > > /usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d -h > 'ldaps://127.0.0.1:636 ldap://127.0.0.1:389' -d -1 > > Then would the ‘common name’ for use in the certificate be: > > cn=localhost:636 > > > > Any assistance is greatly appreciated. > > Thanks! > > Ken Dunne > > > > > > >
