[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem with ldaps:// when switching from 2.3 to 2.4

To: openldap-technical@openldap.org
Subject: Problem with ldaps:// when switching from 2.3 to 2.4
From: Tomasz Welman <tomasz.welman@pl.ibm.com>
Date: Mon, 9 Nov 2009 13:08:59 +0100

I have to machine, on the first there is no problem in connecting to the LDAP server (IBM directory server).
The first machine is RedHat RHEL5 Client, the second is Ubuntu karmic 9.10.

First machine looks like this:

<root@trog /etc/openldap># uname -a
Linux trog.krakow.pl.ibm.com 2.6.30 #1 SMP Fri Jun 26 08:44:06 CEST 2009 i686 i686 i386 GNU/Linux
<root@trog /etc/openldap># rpm -qa |grep ldap
python-ldap-2.2.0-2.1
openldap-2.3.43-3.el5
openldap-devel-2.3.43-3.el5
nss_ldap-253-21.el5
mozldap-6.0.5-1.el5
openldap-clients-2.3.43-3.el5
openldap-compat-2.1.30-1.oc2
<root@trog /etc/openldap># cat ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

TLS_CACERT /etc/openldap/cacerts/bp.cert

On the second the configuration is:

root@xwing:/etc/ldap# uname -a
Linux xwing 2.6.31-server #1 SMP Thu Oct 1 11:55:18 CEST 2009 i686 GNU/Linux
root@xwing:/etc/ldap# dpkg -l |grep ldap
ii ldap-utils 2.4.15-1ubuntu3 OpenLDAP utilities
ii libldap-2.4-2 2.4.15-1ubuntu3 OpenLDAP libraries
root@xwing:/etc/ldap# cat ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

TLS_CACERT /etc/ldap/cacerts/bp.cert

When I start the ldapsearch on the second machine, I get the error:

root@xwing:/etc/ldap# ldapsearch -d5 -x -H ldaps://myldapserver.com
ldap_url_parse_ext(ldaps://myldapserver.com)
ldap_create
ldap_url_parse_ext(ldaps://myldapserver.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP myldapserver.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 9.17.186.253:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: can't connect: A TLS packet with unexpected length was received..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

What is more... when using ldap:// instead of ldaps:// on the second machine
everything works perfectly, but since it's not secured connection I cannot
accept that solution.

The ldapsearch works fine on the first machine for both secure and insecure connection.

Can anyone help?

--
Tomasz 'Trog' Welman
Software Developer
external: 48-12-628-9449
ITN: 34819449
T/L: 9449

IBM SWG Lab, Krakow, Poland
IBM Polska Sp. z o.o. oddział w Krakowie
ul. Armii Krajowej 18 30 -150 Kraków
NIP: 526-030-07-24, KRS 0000012941
Kapitał zakładowy: 33.000.000 PLN

Follow-Ups:
- Re: Problem with ldaps:// when switching from 2.3 to 2.4
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: ldap clients cant connect to replica after failure
Next by Date: Re: ldap clients cant connect to replica after failure
Index(es):
- Chronological
- Thread