On Thu, Sep 27, 2001 at 10:58:45AM -0700, David Wright wrote: > > > # ldapsearch -h clan -D cn=Manager,dc=example,dc=com -w secret -L -x -ZZ > > ldap_start_tls: Connect error > > I ran into a simliar problem and it turned out to be my cert; more recent > OpenLDAPs are less tolerant of nonconformant certificates. In particular, > the name in your cert must be exactly the correct FQDN of your server as > returned e.g. by nslookup; an IP address won't do. I think I've got that right. I've generated a new.cert.cert and new.cert.key by doing the following: # cd /usr/local/etc/openldap/SSL Create key and request # openssl req -new > new.cert.csr Using configuration from /etc/ssl/openssl.cnf Generating a 1024 bit RSA private key .....++++++ ......++++++ writing new private key to 'privkey.pem' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:XX State or Province Name (full name) [Some-State]:XXXXXXXXX Locality Name (eg, city) []:XXXXXXXXXXXX Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXX Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:XXXXXXXXXXXXXXXXXXXXXXXXX Email Address []:nik@freebsd.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: I've used XXX's in the above to obliterate some personal information. I set the "Common Name" to the name of the host, as returned by "hostname". Then I removed the pass phrase from the key # openssl rsa -in privkey.pem -out new.cert.key read RSA key Enter PEM pass phrase: writing RSA key Then I turned this in to a signed certificate. # openssl x509 -in new.cert.csr -out new.cert.cert -req \ -signkey new.cert.key -days 365 Signature ok subject=/C=XX/ST=XXXXXXXXX/L=XXXXXXXXXXXX/O=XXXXXXXXXXXXXXXXXX/CN=XXXXXXXXXXXXXXXXXXXXXXXXX/Email=nik@freebsd.org Getting Private key This leaves me with four files new.cert.cert new.cert.csr new.cert.key privkey.pem I added these three lines to slapd.conf TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /usr/local/etc/openldap/SSL/new.cert.cert TLSCertificateKeyFile /usr/local/etc/openldap/SSL/new.cert.key and run slapd as # /usr/local/libexec/slapd -h 'ldap:/// ldaps:///' -d 9 > If this doesn't solve the problem, please: > 1) Tell us whether ssl (ie ldaps) fails as well as tls. Don't know. I don't have anything here that speaks ldaps. I'm trying to get TLS working so that I can use http://www.rudedog.org/auth_ldap/ which can't use SSL with OpenLDAP, just TLS. > 2) Include the log info, even if you don't understand it. @(#) $OpenLDAP: slapd 2.0.14-Release (Wed Sep 26 21:03:08 BST 2001) $ nik@clan.nothing-going-on.org:/local/1/usr/ports/net/openldap2/work/openldap-2.0.14/servers/slapd daemon_init: listen on ldap:/// daemon_init: listen on ldaps:/// daemon_init: 2 listeners to open... ldap_url_parse_ext(ldap:///) daemon: initialized ldap:/// ldap_url_parse_ext(ldaps:///) daemon: initialized ldaps:/// daemon_init: 2 listeners opened slapd init: initiated server. slap_sasl_init: initialized! slapd startup: initiated. slapd starting daemon: added 8r daemon: added 9r daemon: select: listen=8 active_threads=0 tvp=NULL daemon: select: listen=9 active_threads=0 tvp=NULL That's before I do the ldapsearch request. I then run # ldapsearch -h clan -D cn=Manager,dc=example,dc=com -w secret -L -x -ZZ ldap_start_tls: Connect error in another window, and the following is logged: daemon: activity on 1 descriptors daemon: new connection on 10 daemon: added 10r daemon: activity on: daemon: select: listen=8 active_threads=0 tvp=NULL daemon: select: listen=9 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: activity on: 10r daemon: read activity on 10 connection_get(10): got connid=0 connection_read(10): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 29 contents: ber_get_next ber_get_next on fd 10 failed errno=35 (Resource temporarily unavailable) do_extended ber_scanf fmt ({a) ber: send_ldap_extended 0: (0) send_ldap_response: msgid=1 tag=120 err=0 ber_flush: 14 bytes to sd 10 daemon: select: listen=8 active_threads=1 tvp=NULL daemon: select: listen=9 active_threads=1 tvp=NULL daemon: activity on 1 descriptors daemon: activity on: 10r daemon: read activity on 10 connection_get(10): got connid=0 connection_read(10): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A daemon: select: listen=8 active_threads=0 tvp=NULL daemon: select: listen=9 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: activity on: 10r daemon: read activity on 10 connection_get(10): got connid=0 connection_read(10): checking for input on id=0 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data daemon: select: listen=8 active_threads=0 tvp=NULL daemon: select: listen=9 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: activity on: 10r daemon: read activity on 10 connection_get(10): got connid=0 connection_read(10): checking for input on id=0 ber_get_next ber_get_next on fd 10 failed errno=0 (Undefined error: 0) connection_read(10): input error=-2 id=0, closing. connection_closing: readying conn=0 sd=10 for close connection_close: conn=0 sd=10 daemon: removing 10 TLS trace: SSL3 alert write:warning:close notify daemon: select: listen=8 active_threads=0 tvp=NULL daemon: select: listen=9 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: select: listen=8 active_threads=0 tvp=NULL daemon: select: listen=9 active_threads=0 tvp=NULL Any suggestions gratefully received. N -- Internet connection, $19.95 a month. Computer, $799.95. Modem, $149.95. Telephone line, $24.95 a month. Software, free. USENET transmission, hundreds if not thousands of dollars. Thinking before posting, priceless. Somethings in life you can't buy. For everything else, there's MasterCard. -- Graham Reed, in the Scary Devil Monastery
Attachment:
pgpssAPMRHXi6.pgp
Description: PGP signature