[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ldapsearch TLS error
Thanks for the input, but I modified the /etc/ldap.conf file to match my dn
before I first started ldap on the machine. When I first got the error, I
tried adjusting the TLS settings in the same file and still no luck. I think
this is an issue with upgrading the OpenLDAP version on RH72 and somehow
breaking the dependencies with OpenSSL.
I got the same error on a different machine when I installed the latest PHP
tar file, and set up a web page driven by PHP with a MySQL backend.
But, on a brighter note, I think I will just stick with the version of RH's
OpenLDAP rpm that I know works (2.0.11), and eventually get around to
testing a more recent version.
Thanks -- John
>
> Since you are using "ldapsearch -H ldap:///" then the search
> defaults to
> contacting "localhost." You should change /etc/ldap.conf and specify
> "blah.blah.com" if that's what you want for your default lookups. The
> hostname specified by the ldap client must exactly match the hostname
> in the server's certificate. You can add aliases (with wildcards) in a
> cert for a server that is multi-homed or other reasons, but one of the
> names must match the name that the client used.
>
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support
>
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of John Green
> > Sent: Thursday, April 18, 2002 2:35 PM
> > To: openldap-software (E-mail)
> > Subject: ldapsearch TLS error
> >
> >
> > I'm using RH72. I'm getting the error "ldap_start_tls: connect
> > error." From
> > the debug output (below) it seems TLS believes my FQDN is
> localhost. Using
> > the RH rpm's, 2.0.11 works fine, but when upgrading the rpm's to
> > 2.0.21 on a
> > clean install and then configuring the machine, this
> springs up. I've
> > created a certificate, and pointed slapd.conf to it. Can anyone
> > direct me to
> > what other file(s) would control this? I've tried searching the
> > RH website,
> > OpenLDAP website, Openssl website, and Google, and I've
> found information,
> > but I haven't found any fixes.
> >
> > Thanks -- John
> >
> > ldapsearch -H ldap:/// -p 389 -x -b "" -s base -d 127 -LLL -ZZ
> > supportedSASLMechanisms
> >
> > //snip// domain name changed to protect the innocent
> >
> > TLS trace: SSL_connect:SSLv3 read server done A
> > TLS trace: SSL_connect:SSLv3 write client key exchange A
> > TLS trace: SSL_connect:SSLv3 write change cipher spec A
> > TLS trace: SSL_connect:SSLv3 write finished A
> > tls_write: want=190, written=190
> > 0000: 16 03 01 00 86 10 00 00 82 00 80 16 69 90 69 9c
> > ............i.i.
> > 0010: ae d3 2c 22 81 7a d6 5b 38 cb e8 ac ac 26 c9 95
> > ..,".z.[8....&..
> > 0020: 33 5e 59 2e db 6d 45 ef ab 4d 76 2f 39 f3 cb 68
> > 3^Y..mE..Mv/9..h
> > 0030: c1 48 83 d7 03 3c 44 0c 99 fc 88 77 7a 43 13 57
> > .H...<D....wzC.W
> > 0040: d1 70 d2 16 10 82 ee cc eb 6f 83 4b 83 04 55 e8
> > .p.......o.K..U.
> > 0050: 96 10 6a c9 c4 02 6c 1d 97 7e d0 00 dc 49 19 09
> > ..j...l..~...I..
> > 0060: 19 0b 12 49 a1 ac 63 3d fa ef 31 ed a0 34 fd c4
> > ...I..c=..1..4..
> > 0070: 23 24 d0 42 dd 00 87 5c 3a b2 7a f9 ce 15 71 af
> > #$.B...\:.z...q.
> > 0080: 3c 07 35 d1 73 bb 1a 11 bd c5 c9 14 03 01 00 01
> > <.5.s...........
> > 0090: 01 16 03 01 00 28 76 0f 16 23 e0 82 f9 dc 04 18
> > .....(v..#......
> > 00a0: 5a 87 d8 67 bb c9 76 33 82 98 fd 37 09 35 d7 ca
> > Z..g..v3...7.5..
> > 00b0: 5f a7 65 52 97 cd bb f7 9e d2 49 51 f0 90
> _.eR......IQ..
> > TLS trace: SSL_connect:SSLv3 flush data
> > tls_read: want=5, got=5
> > 0000: 14 03 01 00 01 .....
> > tls_read: want=1, got=1
> > 0000: 01 .
> > tls_read: want=5, got=5
> > 0000: 16 03 01 00 28 ....(
> > tls_read: want=40, got=40
> > 0000: 2c fc 31 74 76 31 2f c5 c0 24 27 94 43 1e c5 49
> > ,.1tv1/..$'.C..I
> > 0010: f0 d9 06 fe 5a 39 a0 2f 4a 7b 49 d0 14 fc 4a a7
> > ....Z9./J{I...J.
> > 0020: 5f 3d 42 83 5b f0 8e 16 _=B.[...
> > TLS trace: SSL_connect:SSLv3 read finished A
> > TLS: hostname (localhost) does not match common name in certificate
> > (blah.blah.com.).
> > ldap_perror
> > ldap_start_tls: Connect error
>