Re: [UM-LINUX] how to use the UMD LDAP server

Fri, 30 Apr 2010 13:12:12 -0700 

On Fri, 30 Apr 2010, Richard Matthew McCutchen wrote:


On Fri, 2010-04-30 at 13:11 -0400, Daniel Lenski wrote:

If I try ldaps://directory.umd.edu, I get an error about being unable to
contact the server.


Indeed, the SSL interface seems to be broken.  The server closes the
connection without sending any data:

$ openssl s_client -debug -connect directory.umd.edu:ldaps
CONNECTED(00000003)
write to 0x1d7f9f0 [0x1d8dc20] (116 bytes => 116 (0x74))
0000 - 16 03 01 00 6f 01 00 00-6b 03 01 4b db 19 29 45   ....o...k..K..)E
0010 - b9 08 ac 3c 90 47 09 a5-01 20 4a a1 49 c0 70 84   ...<.G... J.I.p.
0020 - da 46 5e a4 3e 2c 09 bf-cc b3 7d 00 00 38 00 39   .F^.>,....}..8.9
0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a   .8.....5........
0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96   .3.2.....E.D./..
0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11   .A..............
0060 - 00 08 00 06 00 03 02 01-00 00 09 ff 01 00 01 00   ................
0070 - 00 23                                             .#
0074 - <SPACES/NULS>
read from 0x1d7f9f0 [0x1d93180] (7 bytes => 0 (0x0))
139690365220680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 116 bytes
---
New, (NONE), Cipher is (NONE)
Compression: NONE
Expansion: NONE
---
Odd, it's working for me: (and alot of things would be broken if it wasn't working): 


kapalua:~: openssl s_client -debug -connect directory.umd.edu:ldaps
<SNIP>
-----END CERTIFICATE-----
subject=/C=US/ST=Maryland/L=College Park/O=University of Maryland-College Park/OU=OIT/CN=directory.umd.edu issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailaddress=premium-ser...@thawte.com 
---
No client certificate CA names sent
---
SSL handshake has read 1877 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
Session-ID: 00003A1569AE0A614D3FFD4C849F7A531B2344A8585858584BDB38920008CA06 
    Session-ID-ctx:
Master-Key: 16E9326C65A624ECEA5FB5F74304F82D8861823ABCE4690E831CA92AE627FE185C74C0F1E587FBC44AE07C82D0B3D48C 
    Key-Arg   : None
    Start Time: 1272658066
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

write to 0xa66c0 [0xb0478] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 c2 44 26-a5 bf ac 74 89 54 1f a2   .... .D&...t.T..
0010 - 63 f0 ea 74 a4 44 13 a9-4f 97 e3 d6 af 3b 63 1e   c..t.D..O....;c.
0020 - 71 10 3f 54 f0 17 03 01-00 20 d0 04 8d 56 66 9b   q.?T..... ...Vf.
0030 - c5 7d 34 00 58 97 e7 d1-08 52 91 0e a7 3c 5a 81   .}4.X....R...<Z.
0040 - 43 af 52 86 9f 3d bf 28-bc d0                     C.R..=.(..
Hello....
write to 0xa66c0 [0xb0478] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 c1 ec 4f-db 68 84 c1 43 05 72 05   .... ..O.h..C.r.
0010 - b5 02 69 ca e6 ce aa 39-44 26 3e 32 43 ef 51 22   ..i....9D&>2C.Q"
0020 - 36 c0 2f b8 02 17 03 01-00 20 7f 88 66 e3 18 52   6./...... ..f..R
0030 - ad a1 ff 13 00 e5 85 aa-8b d1 bf 68 74 ae c1 1f   ...........ht...
0040 - 81 bb 2b 2a 90 80 d3 d7-a7 46                     ..+*.....F



and it seems to be working from the command line as well:

z:~: ldapsearch -H ldaps://directory.umd.edu uid=sturdiva cn
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: uid=sturdiva
# requesting: cn
#

# sturdiva, people, umd.edu
dn: uid=sturdiva,ou=people,dc=umd,dc=edu
cn: Eric Ransom Sturdivant

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1



And the matching snoop showing it's going over 636:
z.glue.umd.edu -> directory.umd.edu TCP D=636 S=39185 Syn Seq=2539659181 Len=0 Win=49640 Options=<mss 1460,nop,wscale 0,nop,nop,sackOK> directory.umd.edu -> z.glue.umd.edu TCP D=39185 S=636 Syn Ack=2539659182 Seq=1110769585 Len=0 Win=49640 Options=<mss 1460,nop,wscale 0,nop,nop,sackOK> z.glue.umd.edu -> directory.umd.edu TCP D=636 S=39185 Ack=1110769586 Seq=2539659182 Len=0 Win=49640 z.glue.umd.edu -> directory.umd.edu TCP D=636 S=39185 Push Ack=1110769586 Seq=2539659182 Len=124 Win=49640 directory.umd.edu -> z.glue.umd.edu TCP D=39185 S=636 Ack=2539659306 Seq=1110769586 Len=0 Win=49640 directory.umd.edu -> z.glue.umd.edu TCP D=39185 S=636 Ack=2539659306 Seq=1110769586 Len=1460 Win=49640 directory.umd.edu -> z.glue.umd.edu TCP D=39185 S=636 Push Ack=2539659306 Seq=1110771046 Len=358 Win=49640 z.glue.umd.edu -> directory.umd.edu TCP D=636 S=39185 Ack=1110771046 Seq=2539659306 Len=0 Win=48180 z.glue.umd.edu -> directory.umd.edu TCP D=636 S=39185 Ack=1110771404 Seq=2539659306 Len=0 Win=49640
Here's the Glue ldap.conf not sure if setting any of this stuff will help you guys: 

z:~: less /local/etc/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE           dc=example, dc=com
BASE            dc=umd,dc=edu
URI             ldaps://directory.umd.edu
TLS_CACERTDIR   /local/ssl/certs/ca
# TLS_CACERT    /local/ssl/certs/c33a80d4.0
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never






--
Eric Sturdivant
University of Maryland
Office of Information Technology
Distributed Computing Services

Reply via email to