[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
OpenLDAP SSL errors
I am trying to get OpenLDAP over SSL working so I can use it
securely for logins. I am running on SuSE 7.1 w/ OpenLDAP 2.0.7.
I have setup slapd.conf with the following SSL options:
# SSL/TLS config
TLSCertificateFile /etc/openldap/server.pem
TLSCertificateKeyFile /etc/openldap/server.pem
TLSCACertificateFile /etc/openldap/server.pem
TLSVerifyClient false
The server.pem file was generated by:
openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365
I made sure that the common name was set to the FQDN of the ldap
server.
On a client machine, I have ldap.conf setup as:
HOST ldapserver
BASE dc=sub,dc=domain,dc=com
URI ldaps://ldapserver
ssl yes
On the ldap server I start in debug mode with:
/usr/lib/openldap/slapd -d 1 -h "ldaps:///"
and get:
@(#) $OpenLDAP: slapd 2.0.7-Release (Mon Jun 18 20:50:20 GMT 2001) $
root@Hahn:/usr/src/packages/BUILD/openldap-2.0.7/servers/slapd
daemon_init: listen on ldaps:///
daemon_init: 1 listeners to open...
ldap_url_parse(ldaps:///)
daemon: socket() failed errno=97 (Address family not supported by protocol)
daemon: initialized ldaps:///
daemon_init: 1 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
slapd startup: initiated.
slapd starting
I am a bit concerned about the daemon socket() error but don't know
why it is happening.
After starting the ldap server in this way I try to run an
ldapsearch against it from a client:
ldapsearch -H ldaps://ldapserver -x -b "" -s base
And get a segmentation fault on the client.
The output from from the slapd server debug is:
ldap_pvt_gethostbyname_a: host=mcnode1.EraGen.com, r=0
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
ber_get_next
ber_get_next on fd 9 failed errno=0 (Success)
connection_read(9): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=9 for close
connection_close: conn=0 sd=9
TLS trace: SSL3 alert write:warning:close notify
The two lines I think might be interesting is the "error in SSLv3
read client certificate A" and the line:
ber_get_next on fd 9 failed errno=0 (Success)
ldap logins work if I don't use SSL so the problem must be with the
SSL functionality.
I have been looking through the mailing list archives and have seen
people post with similar problems, but nobody seems to have
posted a fix as far as I have seen.
Has anyone actually gotten OpenLDAP over SSL/TLS working? If so,
could you please let me know what your config files look like? What
you did differently than me?
Also, if someone could tell me what some of the error messages
from the debug output mean, I might be able to try a few things
and try to track it down. If I do find a fix and get this working,
I will post my solution.
Thanks.
Chris