[Date Prev][Date Next] [Chronological] [Thread] [Top]

openldap SSL/TLS problem



I want to have my openldap traffic secured using openssl, I read lot of
mail in the list about that and here's what I did:

openldap 2.0.11, RedHat 7.1, openssl-0.9.6-3

I created the certificate (using FQDN !)

openssl req -new -x509 -nodes -out ldapserver.pem -keyout ldapserver.pem
-days 365

Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Evry
Organization Name (eg, company) [Internet Widgits Pty Ltd]:INT-EVRY
Organizational Unit Name (eg, section) []:MCI
Common Name (eg, your name or your server's hostname)
[]:mci21056.int-evry.fr
Email Address []:root@mci21056.int-evry.fr


/etc/openldap/slapd.conf:

TLSCipherSuite HIGH:MEDIUM
TLSCertificateFile /usr/share/ssl/certs/ldapserver.pem
TLSCertificateKeyFile /usr/share/ssl/certs/ldapserver.pem

/etc/openldap/ldap.conf

HOST mci21056.int-evry.fr
BASE dc=int-evry,dc=fr
URI ldaps://mci21056.int-evry.fr
ssl yes
#ssl start_tls

I start the server

$ slapd -d 1 -h "ldaps://mci21056.int-evry.fr" -l LOCAL3
@(#) $OpenLDAP: slapd 2.0.11-Release (Mon Jun 18 23:27:28 CEST 2001) $
       
root@mci21056.int-evry.fr:/usr/src/redhat/BUILD/openldap-2.0.11/servers/slapd
daemon_init: listen on ldaps://mci21056.int-evry.fr
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldaps://mci21056.int-evry.fr)
daemon: initialized ldaps://mci21056.int-evry.fr
daemon_init: 1 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
slapd startup: initiated.
slapd starting

It is running:

$ lsof -i tcp:636
COMMAND   PID USER   FD   TYPE DEVICE SIZE NODE NAME
slapd   11241 root    6u  IPv4  52557       TCP
mci21056.int-evry.fr:ldaps (LISTEN)


Here's my problem:

$ ldapsearch -Z -H "ldaps://mci21056.int-evry.fr" -b "dc=int-evry,dc=fr"
"uid=procacci"
ldap_start_tls: Operations error
        additional info: TLS already started
ldap_sasl_interactive_bind_s: Unknown authentication method

Server's log ends with:

send_ldap_result: conn=0 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 7
ber_get_next
ber_get_next on fd 7 failed errno=11 (Resource temporarily unavailable)
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
ber_get_next
ber_get_next on fd 7 failed errno=0 (Success)
connection_read(7): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=7 for close
connection_close: conn=0 sd=7
TLS trace: SSL3 alert write:warning:close notify


What I am doing wrong ?
Is there a doc, HOWTO about all this SSL/TLS stuff with openldap.

Thanks
-- 
Jehan Procaccia
Institut National des Telecommunications| Email:
Jehan.Procaccia@int-evry.fr 
MCI, Moyens Communs Informatiques	| Tel  : +33 (0) 160764436 
9 rue Charles Fourier 91011 Evry France | Fax  : +33 (0) 160764321