|
Greets,
I have remedied the TLS issue I was having with
ldapsearch. Thanks, Kurt, for the "clue" about the common name in the SSL
certificate. That was fundamental in determining the problem.
To recap, I had openldap-2.0.11 compiled with tls
under openssl-0.9.6a. I could do ldapsearches to regular connections
(ldapsearch -x -H "ldap://192.168.0.1" -s base
-b "dc=example,dc=com"). However, TLS connections would fail with an
ambiguous error (ldapsearch -x -H "ldaps://192.168.0.1" -s base -b
"dc=example,dc=com"). The error would be:
ldap_pvt_gethostbyname_a: host=Geneva,
r=0
connection_get(10): got connid=0 connection_read(10): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_get(10): got connid=0 connection_read(10): checking for input on id=0 ber_get_next ber_get_next on fd 10 failed errno=0 (Success) connection_read(10): input error=-2 id=0, closing. connection_closing: readying conn=0 sd=10 for close connection_close: conn=0 sd=10 TLS trace: SSL3 alert write:warning:close notify The issue was that the certificate for Geneva
(192.168.0.1) has a common name of Geneva, but the DNS was not set up to resolve
the hostname. This was necessary even though I was connecting directly by
IP because of the hostname in the certificate. I added an entry to
/etc/hosts for '192.168.0.1 geneva', and this works properly now.
The key is to make sure you can resolve the CN in
the certificate. To find out the CN, run (in my case) 'openssl s_client -connect 192.168.0.1:636' and look at the
output:
CONNECTED(00000003)
depth=0 /C=CA/ST=Manitoba/L=Winnipeg/O=SBGH/OU=IS/CN=geneva/Email=jmowat@sbgh.mb.ca verify error:num=18:self signed certificate verify return:1 depth=0 /C=CA/ST=Manitoba/L=Winnipeg/O=SBGH/OU=IS/CN=geneva/Email=jmowat@sbgh.mb.ca verify return:1 --- Certificate chain 0 s:/C=CA/ST=Manitoba/L=Winnipeg/O=SBGH/OU=IS/CN=geneva/Email=jmowat@sbgh.mb.ca i:/C=CA/ST=Manitoba/L=Winnipeg/O=SBGH/OU=IS/CN=geneva/Email=jmowat@sbgh.mb.ca ...
...
Hope this helps anyone who was having similar
problems!
As a side note, it may be prudent to change the
error in slapd to give a bit more information back in the event of this error,
like 'CN=whatever could not be resolved, ldapsearch terminating', or something
like that. Just a suggestion :-)
Cheers,
Jason
|