[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem with SSL/TLS on Solaris 9 (sparc)



Are you using the ldapsearch that came with solaris or the one that came with openldap? If you use the one that came with solaris you have to point it to where the certificate authority certs are (default is /var/ldap). If you're using the ones from openldap you have to put the certificate authority certs in the same directory as your slapd.conf.

Alexei Monastyrnyi wrote:

Hi and thsnks for the answer.



some pretty good instructions at


http://www.bolthole.com/solaris/LDAP.html.
Yea, i know this URL, I've red  it before. I find it a bit confusing (well a
lot actually).
I didn't succeed in coming to the right result while following the steps.



ssl start_tls
ssl on


Should I use  both? AFAIU "ssl on" is for connectiong via tcp/636 when "ssl
start_tls" is for tcp/389 connections.



And also don't run ldaps - the newer versions will negotiate SSL/TLS over
the standard port 389 - and actually will break if you try ldaps.


I tried both configurations of client/server - with ldaps and without one. I
have the same error doing ldapsearch -ZZ.

ldapsearch -v -x -ZZ -d 2 -b 'dc=orcsoftware,dc=com' '(objectclass=*)'
[skipped]
 0600:  12 bb 5d d4 94 4c c1 bb  f3 d7 72 ae 38 2d 2d c4   ..]..L....r.8--.
 0610:  40 0c 93 1d 20 39 62 ac  7f 0f 55 a7 09 7c 93 75   @... 9b...U..|.u
TLS certificate verification: Error, self signed certificate in certificate
chai
n
tls_write: want=7, written=7
 0000:  15 03 01 00 02 02 30                               ......0
TLS: can't connect.
ldap_start_tls: Connect error (91)
       additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE
:certificate verify failed

The certificate is generated accordingly the URL's instructions. while doing
ldapsearch it's downloaded to the cliend. And... error.

In slapd.log I can see (slapd.conf loglevel -1)

om IP=127.0.0.1:34091 (IP=0.0.0.0:389)
May 22 10:35:33 er slapd[24731]: [ID 732783 local4.debug] daemon: added 13r
May 22 10:35:33 er slapd[24731]: [ID 802679 local4.debug] daemon: activity
on:
May 22 10:35:33 er slapd[24731]: [ID 100000 local4.debug]
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=6 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=7 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=8 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=9 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 454241 local4.debug] daemon: activity
on 1
descriptors
May 22 10:35:33 er slapd[24731]: [ID 802679 local4.debug] daemon: activity
on:
May 22 10:35:33 er slapd[24731]: [ID 522297 local4.debug]  13r
May 22 10:35:33 er slapd[24731]: [ID 100000 local4.debug]
May 22 10:35:33 er slapd[24731]: [ID 694296 local4.debug] daemon: read
activity
on 13
May 22 10:35:33 er slapd[24731]: [ID 525477 local4.debug] connection_get(13)
May 22 10:35:33 er slapd[24731]: [ID 611214 local4.debug]
connection_get(13): go
t connid=1
May 22 10:35:33 er slapd[24731]: [ID 138202 local4.debug]
connection_read(13): c
hecking for input on id=1
May 22 10:35:33 er slapd[24731]: [ID 812316 local4.debug] ber_get_next on fd
13
failed errno=11 (Resource temporarily unavailable)
May 22 10:35:33 er slapd[24731]: [ID 147496 local4.debug] do_extended
May 22 10:35:33 er slapd[24731]: [ID 979271 local4.debug] do_extended:
oid=1.3.6
.1.4.1.1466.20037
May 22 10:35:33 er slapd[24731]: [ID 695693 local4.debug]
send_ldap_extended: er
r=0 oid= len=0
May 22 10:35:33 er slapd[24731]: [ID 324658 local4.debug]
send_ldap_response: ms
gid=1 tag=120 err=0
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=6 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=7 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=8 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=9 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 454241 local4.debug] daemon: activity
on 1
descriptors
May 22 10:35:33 er slapd[24731]: [ID 802679 local4.debug] daemon: activity
on:
May 22 10:35:33 er slapd[24731]: [ID 522297 local4.debug]  13r
May 22 10:35:33 er slapd[24731]: [ID 100000 local4.debug]
May 22 10:35:33 er slapd[24731]: [ID 694296 local4.debug] daemon: read
activity
on 13
May 22 10:35:33 er slapd[24731]: [ID 525477 local4.debug] connection_get(13)
May 22 10:35:33 er slapd[24731]: [ID 611214 local4.debug]
connection_get(13): go
t connid=1
May 22 10:35:33 er slapd[24731]: [ID 138202 local4.debug]
connection_read(13): c
hecking for input on id=1
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=6 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=7 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=8 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=9 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 454241 local4.debug] daemon: activity
on 1
descriptors
May 22 10:35:34 er slapd[24731]: [ID 802679 local4.debug] daemon: activity
on:
May 22 10:35:34 er slapd[24731]: [ID 522297 local4.debug]  13r
May 22 10:35:34 er slapd[24731]: [ID 100000 local4.debug]
May 22 10:35:34 er slapd[24731]: [ID 694296 local4.debug] daemon: read
activity
on 13
May 22 10:35:34 er slapd[24731]: [ID 525477 local4.debug] connection_get(13)
May 22 10:35:34 er slapd[24731]: [ID 611214 local4.debug]
connection_get(13): go
t connid=1
May 22 10:35:34 er slapd[24731]: [ID 138202 local4.debug]
connection_read(13): c
hecking for input on id=1
May 22 10:35:34 er slapd[24731]: [ID 733216 local4.debug]
connection_read(13): T
LS accept error error=-1 id=1, closing
May 22 10:35:34 er slapd[24731]: [ID 734893 local4.debug]
connection_closing: re
adying conn=1 sd=13 for close
May 22 10:35:34 er slapd[24731]: [ID 330685 local4.debug] connection_close:
conn
=1 sd=13
May 22 10:35:34 er slapd[24731]: [ID 423323 local4.debug] daemon: removing
13
May 22 10:35:34 er slapd[24731]: [ID 850449 local4.debug] conn=1 fd=13
closed
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=6 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=7 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=8 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=9 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 454241 local4.debug] daemon: activity
on 1
descriptors
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=6 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=7 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=8 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=9 active_threads=0 tvp=NULL

I have the following lines regarding SSL/TLS in my client and server conf
files

# ldap.conf
host                    127.0.0.1
base                    dc=orcsoftware,dc=com
uri                     ldap://127.0.0.1/
scop                    sub
pam_filter              objectclass=posixAccount
pam_login_attribute     uid
pam_groupdn             cn=orc,ou=Group,dc=orcsoftware,dc=com
pam_member_attribute    gidNumber
nss_base_passwd         ou=People,dc=orcsoftware,dc=com?one
nss_base_group          ou=Group,dc=orcsoftware,dc=com?one
ssl                     start_tls

# slapd.conf
TLSCipherSuite          HIGH:MEDIUM:+SSLv3
TLSCertificateFile      /usr/local/etc/openldap/ldapcert.pem
TLSCertificateKeyFile   /usr/local/etc/openldap/ldapkey.pem
TLSCACertificateFile    /usr/local/etc/openldap/demoCA/cacert.pem



Also since you have the padl modules, make sure the sun ldap client daemon
is disabled and the sun /var/ldap config files aren't active.


when I do ldapsearch, PAM is not involved in the process, is it?

what about line in slapd.conf file:
# security ssf=1 update_ssf=112 simple_bind=64
If to uncomment and customize it, can it help?



-----Original Message-----
From: Alexei Monastyrnyi [mailto:alexeim@orcsoftware.com]
Sent: Wednesday, May 21, 2003 6:17 AM
To: Lawrence, Mike (White Plains)
Subject: Re: userPassword - if it's stored in {crypt} format, how do you
make ldappasswd keep it that way when a user changes it?


Hi Mike.
You wrote


I am also using SSL/TLS with
the pam padl and nss ldap modules.


I have a problem configuring my LDAP client and LDAP server for SSL/TLS
connection.
I'm running it on Solaris 9 box.
OpenLDAP 2.1.17
OpenSSL 0.9.7b
OpenSSH 3.6.1p1
pam_ldap-161
nss_ldap-205

How to make server to accept SSL/TLS connection and to make client to
connect via SSL/TLS?

Thanks a lot in advance for your time.

Alexei.