[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP SSL errors
At 01:48 PM 7/31/2001, Chris Black wrote:
>I am trying to get OpenLDAP over SSL working so I can use it
>securely for logins. I am running on SuSE 7.1 w/ OpenLDAP 2.0.7.
>I have setup slapd.conf with the following SSL options:
># SSL/TLS config
>TLSCertificateFile /etc/openldap/server.pem
>TLSCertificateKeyFile /etc/openldap/server.pem
>TLSCACertificateFile /etc/openldap/server.pem
>TLSVerifyClient false
>
>
>The server.pem file was generated by:
>openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365
>
>I made sure that the common name was set to the FQDN of the ldap
>server.
>
>On a client machine, I have ldap.conf setup as:
>HOST ldapserver
>BASE dc=sub,dc=domain,dc=com
>URI ldaps://ldapserver
>ssl yes
>
>
>On the ldap server I start in debug mode with:
>/usr/lib/openldap/slapd -d 1 -h "ldaps:///"
>and get:
>@(#) $OpenLDAP: slapd 2.0.7-Release (Mon Jun 18 20:50:20 GMT 2001) $
> root@Hahn:/usr/src/packages/BUILD/openldap-2.0.7/servers/slapd
>daemon_init: listen on ldaps:///
>daemon_init: 1 listeners to open...
>ldap_url_parse(ldaps:///)
>daemon: socket() failed errno=97 (Address family not supported by protocol)
>daemon: initialized ldaps:///
>daemon_init: 1 listeners opened
>slapd init: initiated server.
>slap_sasl_init: initialized!
>slapd startup: initiated.
>slapd starting
>
>
>I am a bit concerned about the daemon socket() error but don't know
>why it is happening.
Don't be. It just means that slapd was built for IPv6 but
your system wasn't configured for it.
>After starting the ldap server in this way I try to run an
>ldapsearch against it from a client:
>ldapsearch -H ldaps://ldapserver -x -b "" -s base
Use your FQDN as that's what's in your certificate.
>And get a segmentation fault on the client.
Use gdb to get a backtrace...
>The output from from the slapd server debug is:
>ldap_pvt_gethostbyname_a: host=mcnode1.EraGen.com, r=0
>connection_get(9): got connid=0
>connection_read(9): checking for input on id=0
>TLS trace: SSL_accept:before/accept initialization
>TLS trace: SSL_accept:SSLv3 read client hello A
>TLS trace: SSL_accept:SSLv3 write server hello A
>TLS trace: SSL_accept:SSLv3 write certificate A
>TLS trace: SSL_accept:SSLv3 write server done A
>TLS trace: SSL_accept:SSLv3 flush data
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>connection_get(9): got connid=0
>connection_read(9): checking for input on id=0
>TLS trace: SSL_accept:SSLv3 read client key exchange A
>TLS trace: SSL_accept:SSLv3 read finished A
>TLS trace: SSL_accept:SSLv3 write change cipher spec A
>TLS trace: SSL_accept:SSLv3 write finished A
>TLS trace: SSL_accept:SSLv3 flush data
>connection_get(9): got connid=0
>connection_read(9): checking for input on id=0
>ber_get_next
>ber_get_next on fd 9 failed errno=0 (Success)
>connection_read(9): input error=-2 id=0, closing.
>connection_closing: readying conn=0 sd=9 for close
>connection_close: conn=0 sd=9
>TLS trace: SSL3 alert write:warning:close notify
>
>
>The two lines I think might be interesting is the "error in SSLv3
>read client certificate A"
Unless the client asserted a certificate, that's normal.
>and the line:
>ber_get_next on fd 9 failed errno=0 (Success)
just reporting what errno was at that point...
>ldap logins work if I don't use SSL so the problem must be with the
>SSL functionality.
>
>I have been looking through the mailing list archives and have seen
>people post with similar problems, but nobody seems to have
>posted a fix as far as I have seen.
>
>Has anyone actually gotten OpenLDAP over SSL/TLS working?
Yes.
>If so,
>could you please let me know what your config files look like?
#
# OpenLDAP public directory
# ldap://ldap.openldap.org/
#
sasl-host www.openldap.org
sasl-realm OPENLDAP.ORG
TLSCipherSuite HIGH:MEDIUM
TLSCertificateFile conf/server.pem
TLSCertificateKeyFile conf/server.pem
include conf/schema/core.schema
include conf/schema/cosine.schema
include conf/schema/inetorgperson.schema
include conf/schema/openldap.schema
pidfile var/slapd.pid
argsfile var/slapd.args
database ldbm
directory var/ldbm
suffix "dc=OpenLDAP,dc=org"
index objectclass eq
>What
>you did differently than me?
>Also, if someone could tell me what some of the error messages
>from the debug output mean,
Means the client crashed....
>I might be able to try a few things
>and try to track it down. If I do find a fix and get this working,
>I will post my solution.