[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Cannot get ldaps to work to 2.0.19 or 2.0.11
On Sun, 6 Jan 2002, Prasad A. Chodavarapu wrote:
> Hi James,
> Thanks a lot for the reply. Unfortunately though, that doesn't seem to
> be the real problem. I've tried running 2.0.19 as root but to no avail.
> Also, 2.0.11 that I tested was actually on a pristine RH 7.2. Btw, if it
> matters, I am using openssl-0.9.6b-8 that comes with RH7.2. Any other
> ideas?
hmm, not sure, as your debug trace doesn't show any errors... Try running
an ldap search against it, with -d 5. this should at least show an error
that you can start from.
Regards
Jim
> Thanks in advance
> prasad
>
> ----- Original Message -----
> From: "James Bourne" <jbourne@MtRoyal.AB.CA>
> To: "Prasad A. Chodavarapu" <chprasad@hotmail.com>
> Cc: <openldap-software@OpenLDAP.org>
> Sent: Sunday, January 06, 2002 1:04 PM
> Subject: Re: Cannot get ldaps to work to 2.0.19 or 2.0.11
>
>
> > On Sun, 6 Jan 2002, Prasad A. Chodavarapu wrote:
> >
> > > I've been trying in vain to get my OpenLDAP installation (both
> 2.0.11
> > > and 2.0.19) to work over SSL. I can get ldap:/// to work with all
> > > clients i tried but ldaps:/// was a different story with every
> client.
> > >
> > > I've searched the web, made sure that the hostname in my server
> > > certificate resolves correctly but it didn't help either. One thing
> I
> > > haven't done is configure any of the clients with any certificates.
> >
> > Hi,
> > Try running the ldap server as root. There seems to be a bug, either
> with
> > openssl 0.9.6(null,a,b) or with openldap (I think it is a problem in
> openssl
> > more then openldap) which does not allow the server to run as a
> non-root
> > user and properly use TLS... The Red Hat 7.2 distributed RPMS do work
> > properly as a non-root user, and I've backported them (not very
> difficult)
> > to Red Hat 6.1 as well. You may want to look to those for your build
> tips.
> >
> > Regards
> > James Bourne
> >
> > >
> > > My conf file contains the following TLS directives.
> > >
> > > TLSCertificateFile /usr/share/ssl/certs/slapd.pem
> > > TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
> > > #the following are not documented in the latest man page
> > > TLSCACertificateFile /usr/share/ssl/certs/slapd.pem
> > > TLSVerifyClient 0
> > >
> > > and finally, here's my debug trace.
> > >
> > > slapd starting
> > > daemon: added 6r
> > > daemon: added 7r
> > > daemon: select: listen=6 active_threads=0 tvp=NULL
> > > daemon: select: listen=7 active_threads=0 tvp=NULL
> > > daemon: activity on 1 descriptors
> > > daemon: new connection on 10
> > > ldap_pvt_gethostbyname_a: host=cherish.aalayance.com, r=0
> > > daemon: conn=0 fd=10 connection from IP=127.0.0.1:34267
> > > (IP=0.0.0.0:31746) accepted.
> > > daemon: added 10r
> > > daemon: activity on:
> > > daemon: select: listen=6 active_threads=0 tvp=NULL
> > > daemon: select: listen=7 active_threads=0 tvp=NULL
> > > daemon: activity on 1 descriptors
> > > daemon: activity on: 10r
> > > daemon: read activity on 10
> > > connection_get(10)
> > > connection_get(10): got connid=0
> > > connection_read(10): checking for input on id=0
> > > TLS trace: SSL_accept:before/accept initialization
> > > tls_read: want=11, got=11
> > > 0000: 80 7a 01 03 01 00 51 00 00 00 20
> .z....Q...
> > > tls_read: want=113, got=113
> > > 0000: 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 66 00
> > > ..............f.
> > > 0010: 00 05 00 00 04 03 00 80 01 00 80 08 00 80 00 00
> > > ................
> > > 0020: 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00 60
> > > e..d..c..b..a..`
> > > 0030: 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00
> > > ...........@....
> > > 0040: 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02 00
> > > ................
> > > 0050: 80 06 5d 44 a0 bb d0 70 c0 ab 86 14 b5 20 6b ab
> > > ..]D...p..... k.
> > > 0060: 57 03 57 e2 20 56 28 dd b8 9f 41 fc 3b 54 4f ec W.W.
> > > V(...A.;TO.
> > > 0070: 18 .
> > > TLS trace: SSL_accept:SSLv3 read client hello A
> > > TLS trace: SSL_accept:SSLv3 write server hello A
> > > TLS trace: SSL_accept:SSLv3 write certificate A
> > > TLS trace: SSL_accept:SSLv3 write server done A
> > > tls_write: want=875, written=875
> > > 0000: 16 03 01 00 4a 02 00 00 46 03 01 3c 38 1d dd cd
> > > ....J...F..<8...
> > > 0010: e3 c0 c4 95 45 87 d1 4a 02 fe ea 22 26 0f 28 e2
> > > ....E..J..."&.(.
> > > 0020: 49 28 9a ea 72 1a bd a4 15 1e ea 20 46 6d 43 61
> I(..r......
> > > FmCa
> > > 0030: 10 89 b1 bb 5c 6e b9 d7 fe fb 3d 4d 79 a3 de 0b
> > > ....\n....=My...
> > > 0040: ca 0a ec 12 7e 61 bc 16 cc 30 98 4f 00 0a 00 16
> > > ....~a...0.O....
> > > 0050: 03 01 03 0e 0b 00 03 0a 00 03 07 00 03 04 30 82
> > > ..............0.
> > > 0060: 03 00 30 82 02 69 a0 03 02 01 02 02 01 00 30 0d
> > > ..0..i........0.
> > > 0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 64 31
> > > ..*.H........0d1
> > > 0080: 0b 30 09 06 03 55 04 06 13 02 55 53 31 12 30 10
> > > .0...U....US1.0.
> > > 0090: 06 03 55 04 0a 13 09 41 61 6c 61 79 61 6e 63 65
> > > ..U....Aalayance
> > > 00a0: 31 1e 30 1c 06 03 55 04 03 13 15 63 68 65 72 69
> > > 1.0...U....cheri
> > > 00b0: 73 68 2e 61 61 6c 61 79 61 6e 63 65 2e 63 6f 6d
> > > sh.aalayance.com
> > > 00c0: 31 21 30 1f 06 09 2a 86 48 86 f7 0d 01 09 01 16
> > > 1!0...*.H.......
> > > 00d0: 12 63 68 61 70 40 61 61 6c 61 79 61 6e 63 65 2e
> > > .chap@aalayance.
> > > 00e0: 63 6f 6d 30 1e 17 0d 30 32 30 31 30 32 32 33 33
> > > com0...020102233
> > > 00f0: 39 35 35 5a 17 0d 30 33 30 31 30 32 32 33 33 39
> > > 955Z..0301022339
> > > 0100: 35 35 5a 30 64 31 0b 30 09 06 03 55 04 06 13 02
> > > 55Z0d1.0...U....
> > > 0110: 55 53 31 12 30 10 06 03 55 04 0a 13 09 41 61 6c
> > > US1.0...U....Aal
> > > 0120: 61 79 61 6e 63 65 31 1e 30 1c 06 03 55 04 03 13
> > > ayance1.0...U...
> > > 0130: 15 63 68 65 72 69 73 68 2e 61 61 6c 61 79 61 6e
> > > .cherish.aalayan
> > > 0140: 63 65 2e 63 6f 6d 31 21 30 1f 06 09 2a 86 48 86
> > > ce.com1!0...*.H.
> > > 0150: f7 0d 01 09 01 16 12 63 68 61 70 40 61 61 6c 61
> > > .......chap@aala
> > > 0160: 79 61 6e 63 65 2e 63 6f 6d 30 81 9f 30 0d 06 09
> > > yance.com0..0...
> > > 0170: 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30
> > > *.H............0
> > > 0180: 81 89 02 81 81 00 c3 60 b0 24 94 87 0a 4e bd 87
> > > .......`.$...N..
> > > 0190: 0d c6 44 16 d0 97 2a e0 32 72 68 c7 35 2e f8 4b
> > > ..D...*.2rh.5..K
> > > 01a0: 1b fd 1f 90 59 ea 92 bd a7 f9 f7 40 9b a5 1c a9
> > > ....Y......@....
> > > 01b0: 6c b9 b0 fc 3e 13 c4 ba 7e 10 62 01 b8 6c d7 9b
> > > l...>...~.b..l..
> > > 01c0: c3 c0 48 a9 f1 24 54 6a 4b 76 73 4e 20 38 81 b0
> ..H..$TjKvsN
> > > 8..
> > > 01d0: 07 39 f6 d4 6f 09 4d 28 40 7f db f4 cf f2 14 05
> > > .9..o.M(@.......
> > > 01e0: 29 1b 63 4d 98 5d ca a5 d3 30 5c 86 ad a8 f0
> > > ).cM.]...0\....5
> > > 01f0: 54 ee a9 59 53 d2 42 72 fe 67 04 05 46 cf e8 54
> > > T..YS.Br.g..F..T
> > > 0200: e2 04 bc aa 3f d5 02 03 01 00 01 a3 81 c1 30 81
> > > ....?.........0.
> > > 0210: be 30 1d 06 03 55 1d 0e 04 16 04 14 38 b3 c8 cb
> > > .0...U......8...
> > > 0220: ad 7d c5 1c 70 81 2b 59 71 15 a4 e8 09 0c a1 8a
> > > .}..p.+Yq.......
> > > 0230: 30 81 8e 06 03 55 1d 23 04 81 86 30 81 83 80 14
> > > 0....U.#...0....
> > > 0240: 38 b3 c8 cb ad 7d c5 1c 70 81 2b 59 71 15 a4 e8
> > > 8....}..p.+Yq...
> > > 0250: 09 0c a1 8a a1 68 a4 66 30 64 31 0b 30 09 06 03
> > > .....h.f0d1.0...
> > > 0260: 55 04 06 13 02 55 53 31 12 30 10 06 03 55 04 0a
> > > U....US1.0...U..
> > > 0270: 13 09 41 61 6c 61 79 61 6e 63 65 31 1e 30 1c 06
> > > ..Aalayance1.0..
> > > 0280: 03 55 04 03 13 15 63 68 65 72 69 73 68 2e 61 61
> > > .U....cherish.aa
> > > 0290: 6c 61 79 61 6e 63 65 2e 63 6f 6d 31 21 30 1f 06
> > > layance.com1!0..
> > > 02a0: 09 2a 86 48 86 f7 0d 01 09 01 16 12 63 68 61 70
> > > .*.H........chap
> > > 02b0: 40 61 61 6c 61 79 61 6e 63 65 2e 63 6f 6d 82 01
> > > @aalayance.com..
> > > 02c0: 00 30 0c 06 03 55 1d 13 04 05 30 03 01 01 ff 30
> > > .0...U....0....0
> > > 02d0: 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 81
> > > ...*.H..........
> > > 02e0: 81 00 b7 ca 5d f5 19 73 23 8a be 37 70 27 72 d2
> > > ....]..s#..7p'r.
> > > 02f0: fc 27 a3 a0 3f 53 ec bd c4 e3 73 5b c4 be 90 a6
> > > .'..?S....s[....
> > > 0300: 2c 9b 04 89 c5 44 77 f4 b8 80 95 8f eb b0 ca dc
> > > ,....Dw.........
> > > 0310: b1 79 c3 28 67 69 0a 37 fb 0f 08 b3 b1 06 88 4d
> > > .y.(gi.7.......M
> > > 0320: 44 a8 59 a6 5e 31 79 2b 80 2b 2a 9c 66 ba 1f a9
> > > D.Y.^1y+.+*.f...
> > > 0330: d0 87 06 23 41 3e 34 60 61 7a 0e d1 9b c9 ba ef
> > > ...#A>4`az......
> > > 0340: 0e 4e f5 c8 52 96 82 80 04 6a 5a cf af 9b 16 78
> > > .N..R....jZ....x
> > > 0350: 48 4d 59 a0 64 cb 51 5c cd c4 d7 b5 33 6d 71 ee
> > > HMY.d.Q\....3mq.
> > > 0360: de ef 16 03 01 00 04 0e 00 00 00
> ...........
> > > TLS trace: SSL_accept:SSLv3 flush data
> > > tls_read: want=5 error=Resource temporarily unavailable
> > > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > > daemon: select: listen=6 active_threads=0 tvp=NULL
> > > daemon: select: listen=7 active_threads=0 tvp=NULL
> > > daemon: activity on 1 descriptors
> > > daemon: activity on: 10r
> > > daemon: read activity on 10
> > > connection_get(10)
> > > connection_get(10): got connid=0
> > > connection_read(10): checking for input on id=0
> > > tls_read: want=5, got=5
> > > 0000: 16 03 01 00 86 .....
> > > tls_read: want=134, got=134
> > > 0000: 10 00 00 82 00 80 9d 7f 0f 7c 68 77 f5 dc 25 11
> > > .........|hw..%.
> > > 0010: 67 85 b9 c9 af e1 86 f3 0d e8 01 de 62 81 c1 0f
> > > g...........b...
> > > 0020: bf c3 c6 46 d9 d2 6a 57 fa 44 6a 39 e9 e7 5a 82
> > > ...F..jW.Dj9..Z.
> > > 0030: bb 6e 26 bf 38 4e ba 1c 6c 93 69 45 b4 df ed 97
> > > .n&.8N..l.iE....
> > > 0040: b8 b7 5d 99 cf 33 d7 ab 7b a5 ca f9 59 49 a7 95
> > > ..]..3..{...YI..
> > > 0050: e3 26 72 40 1b 1a b0 4b 83 72 cd 97 b7 9a b2 6c
> > > .&r@...K.r.....l
> > > 0060: b7 3c 12 94 af 80 e0 38 7d 03 95 98 57 98 04 46
> > > .<.....8}...W..F
> > > 0070: 93 b7 93 9c 9b 57 f0 b8 62 45 6f a6 0e bd b4 63
> > > .....W..bEo....c
> > > 0080: b3 a4 6c ba 52 81 ..l.R.
> > > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > > tls_read: want=5, got=5
> > > 0000: 14 03 01 00 01 .....
> > > tls_read: want=1, got=1
> > > 0000: 01 .
> > > tls_read: want=5, got=5
> > > 0000: 16 03 01 00 28 ....(
> > > tls_read: want=40, got=40
> > > 0000: 47 d9 a3 21 e4 15 4e 2f 0e 27 d9 d3 21 1a 8d c0
> > > G..!..N/.'..!...
> > > 0010: 44 26 0b 84 8f 28 84 aa 3b 5a 33 4f 12 b7 73 e8
> > > D&...(..;Z3O..s.
> > > 0020: 1f 7c 20 d7 8e 04 cb 3f .| ....?
> > > TLS trace: SSL_accept:SSLv3 read finished A
> > > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > > TLS trace: SSL_accept:SSLv3 write finished A
> > > tls_write: want=51, written=51
> > > 0000: 14 03 01 00 01 01 16 03 01 00 28 c3 b2 49 93 b8
> > > ..........(..I..
> > > 0010: 91 05 2c e4 74 ec 7b 28 bd 93 7c dd d4 1d 88 24
> > > ..,.t.{(..|....$
> > > 0020: c3 5d 4c 6b 90 ba 3f 5b 3a 52 37 0b 60 ca 05 ff
> > > .]Lk..?[:R7.`...
> > > 0030: 3d f6 98 =..
> > > TLS trace: SSL_accept:SSLv3 flush data
> > > daemon: select: listen=6 active_threads=0 tvp=NULL
> > > daemon: select: listen=7 active_threads=0 tvp=NULL
> > > daemon: activity on 1 descriptors
> > > daemon: activity on: 10r
> > > daemon: read activity on 10
> > > connection_get(10)
> > > connection_get(10): got connid=0
> > > connection_read(10): checking for input on id=0
> > > ber_get_next
> > > tls_read: want=5, got=0
> > >
> > > ldap_read: want=1, got=0
> > >
> > > ber_get_next on fd 10 failed errno=0 (Success)
> > > connection_read(10): input error=-2 id=0, closing.
> > > connection_closing: readying conn=0 sd=10 for close
> > > connection_close: conn=0 sd=10
> > > daemon: removing 10
> > > conn=-1 fd=10 closed
> > >
> > > Thanks in advance
> > > prasad
> > >
> >
> > --
> > James Bourne, Supervisor Data Centre Operations
> > Mount Royal College, Calgary, AB, CA
> > www.mtroyal.ab.ca
> >
> >
> ************************************************************************
> ******
> > This communication is intended for the use of the recipient to which
> it is
> > addressed, and may contain confidential, personal, and or privileged
> > information. Please contact the sender immediately if you are not the
> > intended recipient of this communication, and do not copy, distribute,
> or
> > take action relying on it. Any communication received in error, or
> > subsequent reply, should be deleted or destroyed.
> >
> ************************************************************************
> ******
> >
> >
>
--
James Bourne, Supervisor Data Centre Operations
Mount Royal College, Calgary, AB, CA
www.mtroyal.ab.ca
******************************************************************************
This communication is intended for the use of the recipient to which it is
addressed, and may contain confidential, personal, and or privileged
information. Please contact the sender immediately if you are not the
intended recipient of this communication, and do not copy, distribute, or
take action relying on it. Any communication received in error, or
subsequent reply, should be deleted or destroyed.
******************************************************************************