[Date Prev][Date Next] [Chronological] [Thread] [Top]

problem with SSL/TLS on Solaris 9 (sparc)



Hi and thsnks for the answer.

> some pretty good instructions at
http://www.bolthole.com/solaris/LDAP.html.
Yea, i know this URL, I've red  it before. I find it a bit confusing (well a
lot actually).
 I didn't succeed in coming to the right result while following the steps.

> ssl start_tls
> ssl on
Should I use  both? AFAIU "ssl on" is for connectiong via tcp/636 when "ssl
start_tls" is for tcp/389 connections.

> And also don't run ldaps - the newer versions will negotiate SSL/TLS over
> the standard port 389 - and actually will break if you try ldaps.
I tried both configurations of client/server - with ldaps and without one. I
have the same error doing ldapsearch -ZZ.

ldapsearch -v -x -ZZ -d 2 -b 'dc=orcsoftware,dc=com' '(objectclass=*)'
[skipped]
  0600:  12 bb 5d d4 94 4c c1 bb  f3 d7 72 ae 38 2d 2d c4   ..]..L....r.8--.
  0610:  40 0c 93 1d 20 39 62 ac  7f 0f 55 a7 09 7c 93 75   @... 9b...U..|.u
TLS certificate verification: Error, self signed certificate in certificate
chai
n
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
TLS: can't connect.
ldap_start_tls: Connect error (91)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE
:certificate verify failed

The certificate is generated accordingly the URL's instructions. while doing
ldapsearch it's downloaded to the cliend. And... error.

In slapd.log I can see (slapd.conf loglevel -1)

om IP=127.0.0.1:34091 (IP=0.0.0.0:389)
May 22 10:35:33 er slapd[24731]: [ID 732783 local4.debug] daemon: added 13r
May 22 10:35:33 er slapd[24731]: [ID 802679 local4.debug] daemon: activity
on:
May 22 10:35:33 er slapd[24731]: [ID 100000 local4.debug]
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=6 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=7 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=8 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=9 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 454241 local4.debug] daemon: activity
on 1
descriptors
May 22 10:35:33 er slapd[24731]: [ID 802679 local4.debug] daemon: activity
on:
May 22 10:35:33 er slapd[24731]: [ID 522297 local4.debug]  13r
May 22 10:35:33 er slapd[24731]: [ID 100000 local4.debug]
May 22 10:35:33 er slapd[24731]: [ID 694296 local4.debug] daemon: read
activity
on 13
May 22 10:35:33 er slapd[24731]: [ID 525477 local4.debug] connection_get(13)
May 22 10:35:33 er slapd[24731]: [ID 611214 local4.debug]
connection_get(13): go
t connid=1
May 22 10:35:33 er slapd[24731]: [ID 138202 local4.debug]
connection_read(13): c
hecking for input on id=1
May 22 10:35:33 er slapd[24731]: [ID 812316 local4.debug] ber_get_next on fd
13
failed errno=11 (Resource temporarily unavailable)
May 22 10:35:33 er slapd[24731]: [ID 147496 local4.debug] do_extended
May 22 10:35:33 er slapd[24731]: [ID 979271 local4.debug] do_extended:
oid=1.3.6
.1.4.1.1466.20037
May 22 10:35:33 er slapd[24731]: [ID 695693 local4.debug]
send_ldap_extended: er
r=0 oid= len=0
May 22 10:35:33 er slapd[24731]: [ID 324658 local4.debug]
send_ldap_response: ms
gid=1 tag=120 err=0
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=6 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=7 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=8 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=9 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 454241 local4.debug] daemon: activity
on 1
descriptors
May 22 10:35:33 er slapd[24731]: [ID 802679 local4.debug] daemon: activity
on:
May 22 10:35:33 er slapd[24731]: [ID 522297 local4.debug]  13r
May 22 10:35:33 er slapd[24731]: [ID 100000 local4.debug]
May 22 10:35:33 er slapd[24731]: [ID 694296 local4.debug] daemon: read
activity
on 13
May 22 10:35:33 er slapd[24731]: [ID 525477 local4.debug] connection_get(13)
May 22 10:35:33 er slapd[24731]: [ID 611214 local4.debug]
connection_get(13): go
t connid=1
May 22 10:35:33 er slapd[24731]: [ID 138202 local4.debug]
connection_read(13): c
hecking for input on id=1
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=6 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=7 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=8 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=9 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 454241 local4.debug] daemon: activity
on 1
descriptors
May 22 10:35:34 er slapd[24731]: [ID 802679 local4.debug] daemon: activity
on:
May 22 10:35:34 er slapd[24731]: [ID 522297 local4.debug]  13r
May 22 10:35:34 er slapd[24731]: [ID 100000 local4.debug]
May 22 10:35:34 er slapd[24731]: [ID 694296 local4.debug] daemon: read
activity
on 13
May 22 10:35:34 er slapd[24731]: [ID 525477 local4.debug] connection_get(13)
May 22 10:35:34 er slapd[24731]: [ID 611214 local4.debug]
connection_get(13): go
t connid=1
May 22 10:35:34 er slapd[24731]: [ID 138202 local4.debug]
connection_read(13): c
hecking for input on id=1
May 22 10:35:34 er slapd[24731]: [ID 733216 local4.debug]
connection_read(13): T
LS accept error error=-1 id=1, closing
May 22 10:35:34 er slapd[24731]: [ID 734893 local4.debug]
connection_closing: re
adying conn=1 sd=13 for close
May 22 10:35:34 er slapd[24731]: [ID 330685 local4.debug] connection_close:
conn
=1 sd=13
May 22 10:35:34 er slapd[24731]: [ID 423323 local4.debug] daemon: removing
13
May 22 10:35:34 er slapd[24731]: [ID 850449 local4.debug] conn=1 fd=13
closed
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=6 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=7 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=8 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=9 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 454241 local4.debug] daemon: activity
on 1
descriptors
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=6 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=7 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=8 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=9 active_threads=0 tvp=NULL

I have the following lines regarding SSL/TLS in my client and server conf
files

# ldap.conf
host                    127.0.0.1
base                    dc=orcsoftware,dc=com
uri                     ldap://127.0.0.1/
scop                    sub
pam_filter              objectclass=posixAccount
pam_login_attribute     uid
pam_groupdn             cn=orc,ou=Group,dc=orcsoftware,dc=com
pam_member_attribute    gidNumber
nss_base_passwd         ou=People,dc=orcsoftware,dc=com?one
nss_base_group          ou=Group,dc=orcsoftware,dc=com?one
ssl                     start_tls

# slapd.conf
TLSCipherSuite          HIGH:MEDIUM:+SSLv3
TLSCertificateFile      /usr/local/etc/openldap/ldapcert.pem
TLSCertificateKeyFile   /usr/local/etc/openldap/ldapkey.pem
TLSCACertificateFile    /usr/local/etc/openldap/demoCA/cacert.pem

> Also since you have the padl modules, make sure the sun ldap client daemon
> is disabled and the sun /var/ldap config files aren't active.
when I do ldapsearch, PAM is not involved in the process, is it?

what about line in slapd.conf file:
# security ssf=1 update_ssf=112 simple_bind=64
If to uncomment and customize it, can it help?

>
>
> -----Original Message-----
> From: Alexei Monastyrnyi [mailto:alexeim@orcsoftware.com]
> Sent: Wednesday, May 21, 2003 6:17 AM
> To: Lawrence, Mike (White Plains)
> Subject: Re: userPassword - if it's stored in {crypt} format, how do you
> make ldappasswd keep it that way when a user changes it?
>
>
> Hi Mike.
> You wrote
> > I am also using SSL/TLS with
> > the pam padl and nss ldap modules.
>
> I have a problem configuring my LDAP client and LDAP server for SSL/TLS
> connection.
> I'm running it on Solaris 9 box.
> OpenLDAP 2.1.17
> OpenSSL 0.9.7b
> OpenSSH 3.6.1p1
> pam_ldap-161
> nss_ldap-205
>
> How to make server to accept SSL/TLS connection and to make client to
> connect via SSL/TLS?
>
> Thanks a lot in advance for your time.
>
> Alexei.
>