[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Diagnosing client problem using SSL/TLS
On 24 Oct 2002 at 1:04, Howard Chu wrote:
> Rerun the search with "-d7" and look at the TLS trace messages.
I've done that, and sent it to the list as an attachment.
I'm not sure what I'm looking at, though. From what I can tell, the
SSL connection is set up as expected. The key verification still
takes place, despite the TLS_REQCERT setting.
I did a comparison with a successful ldapsearch using OpenLDAP
2.0.23.
Certificate verification aside, everything else seems to be the same
up until immediately after ldcap_chkResponseList returns NULL.
With 2.0.23, the next line is do_ldap_select:
do_ldap_select
read1msg: msgid 1, all 1
ber_get_next
tls_read: want=5, got=5
With 2.1.8, the next line is ldap_int_select:
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
tls_read: want=5, got=0
Is something broken in ldap_int_select, or is do_ldap_select meant to
be called? What else should I be looking at?
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Nels Lindquist
>
> > I've been trying to upgrade my OpenLDAP installation in order to
> > resolve some problems I've been having with SASL authentication.
> >
> > My current difficulties seem to stem from the OpenLDAP libraries,
> > though, so I'm posting to this list rather than Cyrus-SASL.
> >
> > I upgraded to OpenLDAP v2.1.5 from v2.0.23, and then to v2.1.8.
> >
> > Without making any changes to configuration files, I got the
> > following error (with ldapsearch):
> >
> > > ldap_bind: Can't contact LDAP server (81) additional info:
> > > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> > > verify failed
> >
> > Checking the man page revealed new options for dealing with
> > certificate verification.
> >
> > I added the line: "TLS_REQCERT allow" to
> > /usr/local/etc/openldap/ldap.conf, and now I receive the following
> > error:
> >
> > > ldap_bind: Can't contact LDAP server (81)
> >
> > The server (Netware 6 eDirectory) is working fine; I can connect
> > using insecure LDAP from anywhere, and using secure LDAP from a
> > different machine which still has 2.0.23 installed.
> >
> > How should I go about diagnosing this?
----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.