On 16/8/04 6:23 am, Vladimir Levijev <[EMAIL PROTECTED]> wrote:
>
> Hi everyone,
>
> I had working LDAP over SSL connection to an AD server from my GNU/Linux box
> for about a year when suddenly it stopped working. Perl scripts to manage
> users data (including passwords), PAM modules (nss_ldap), glibc's getent -
> all stopped working at the same time. What to do? I disabled SSL in all
> configs. Now pure LDAP works fine, but it doesn't allow me to manage the
> passwords. So it seems that the problem is on the AD side.
>
> I can connect using telnet to both 389 and 636 ports of the machine where the
> AD is installed. But when I try it with perl:
>
> [clip]
>
> #!/usr/bin/perl
>
> use Net::LDAPS;
> use strict;
>
> my $ldaps = new Net::LDAPS('ldaps://AD_SERVER') || die "$@";
>
> print "ldaps = $ldaps\n";
>
> [/clip]
>
> I get: "IO::Socket::SSL: Timeout at test.pl line 6, <DATA> line 225." . If
> "ldaps:" protocol is changed to "ldap" - I get the HASH.
>
> So the ADs admin checked the certificates and said they where not expired. I
> still think it's somehow connected to certificates. I do not remember now how
> did we set the SSL connection up then. But is there another way to check
> certs?
A simple way is to use the openssl command-line s_client tool, which just
makes an SSL connection to a server. Point it at AD's LDAPS port and see
what it reports. (Play with verbose etc flags.)
IIRC something gets loggged when AD first needs to retrieve its cert and
private key, ie the first time it gets an LDAPS connection. If it fails, it
doesn't seem to retry getting the cert+key until you reboot AD. (Which we
couldn't figure out how to do safely, so reboot the box.)
> So if someone could help, I'd appreciate, what are the general procedure of
> setting the SSL connection in my case? Is it first I create the certificate
> on a GNU/Linux box and then export it to AD?
For what it is worth, my experience is that if AD doesn't have the cert
installed in the right place (or at all) any connections to the LDAPS port
"succeed" but get instantly dropped before any bytes get transferred. So you
could even test with a telnet client,
Yes, you can create a cert and private key using openssl and move them to
your AD box.
You need to add them to the right part of the certificate store (forget
which one now!) and there are a few constraints on what AD allows in the
cert. I may have some more notes at work, but I did discover the constraints
by googling before.
Cheers,
Chris
