how was the CA generated? errors in the log seem to indicate a bad CA cert...
you can use both fqdn and ip:
ip can be used in subjectaltname
-----Original Message-----
From: charlie derr [mailto:cderr@simons-rock.edu]
Sent: Thursday, June 13, 2002 9:36 AM
To: openldap-software@OpenLDAP.org
Cc: Benoit LEROYER
Subject: Re: LDAP ssl over PHP
I'm bouncing this back to the list because there are people lots smarter
than me there.
My hunch is that you haven't correctly generated your slapd certificate
(but i'm not sure of that). The fact that
ldapsearch -x -H 'ldaps://localhost/' -b 'uid=100000,
ou=company,dc=domain, dc=com' -D 'uid=100000, ou=company, dc=mydomain,
dc=com' -W
works for you leads me to believe that you've applied the name
"localhost" to your certificate. I'm pretty sure that you need to give
a fully qualified domain name to the certificate instead (though i
suppose it's possible to give an IP address instead if an fqdn isn't an
option -- hopefully someone else can confirm/deny this). Though there's
probably enough information here for an expert to solve this one, I have
found ssldump to be a great help in troubleshooting my own problems.
You may want to install that in order to provide more information.
good luck,
~c
Benoit LEROYER wrote:
>
> Thanks for your help
>
> I've installed openssl, openldap, php4.2.1
> I've compiled openldap with --with-tls
> I've compiled php with with-apache=../apache_1.3.24 with-ldap with-openssl
>
> I've always same problem (log (-d9) of slapd process is like that :
>
> daemon: activity on 1 descriptors
> daemon: new connection on 10
> daemon: added 10r
> daemon: activity on:
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: activity on: 10r
> daemon: read activity on 10
> connection_get(10): got connid=24
> connection_read(10): checking for input on id=24
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: activity on: 10r
> daemon: read activity on 10
> connection_get(10): got connid=24
> connection_read(10): checking for input on id=24
> TLS trace: SSL3 alert read:fatal:unknown CA
> TLS trace: SSL_accept:failed in SSLv3 read client certificate A
> TLS: can't accept.
> TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> s3_pkt.c:985
> connection_read(10): TLS accept error error=-1 id=24, closing
> connection_closing: readying conn=24 sd=10 for close
> connection_close: conn=24 sd=10
> daemon: removing 10
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
>
> Thanks for your help
>
> charlie derr wrote:
>
> > You will need to rebuild php and add --with-openssl to the ./configure
> > command in order to get this to work. Obviously, you must also have all
> > the openssl source installed too.
> >
> > If you are on debian woody, i have some notes on how to do this using
> > debian tools (apt-get source and dpkg-buildpackage). Let me know if
> > you'd like me to send you a copy of what i've written up.
> >
> > ~c
> >
> > Informations wrote:
> >
> >>I have a problem when i use php to bind my ldap directory over ssl
> >>
> >>If i use on shell command
> >>ldapsearch -x -H 'ldaps://localhost/' -b 'uid=100000, ou=company,
> >>dc=domain, dc=com' -D 'uid=100000, ou=company, dc=mydomain, dc=com' -W
> >>I have good result
> >>
> >>My script is like that :
> >>
> >>$server = "ldap://localhost" ;
> >>$ds=ldap_connect($server);
> >>$dn = "uid=100000, ou=company, dc=domain, dc=com";
> >>$value = "password";
> >>
> >>$result=@ldap_bind($ds,$dn,$value);
> >>$dn = "ou=company, dc=domain, dc=com";
> >>$filtre = "(cn=*DUPONT*)";
> >>$sr = ldap_search($ds, $dn, $filtre);
> >>$info = ldap_get_entries($ds, $sr);
> >>
> >>for ($i=0; $i < $info["count"]; $i++) {
> >> print "UID: ".$info[$i]["urn"][0]."<br /><br />";
> >> }
> >>
> >> ldap_close($ds);
> >>
> >>i have a result, but if i change $server = "ldap://localhost" by
> >>"ldaps://localhost) i have a error message "Can't contact LDAP server"
> >>
> >>Thanks for your help
> >>
> >
>
> --
> ------------------------------------------
> Benoit LEROYER - G.I.D.E (benoit@gide.net)
> Tél : 02.40.89.92.87
> Web : http://www.gide.net
> ------------------------------------------