Hi and thsnks for the answer.
some pretty good instructions at
http://www.bolthole.com/solaris/LDAP.html.
Yea, i know this URL, I've red it before. I find it a bit confusing (well a
lot actually).
I didn't succeed in coming to the right result while following the steps.
ssl start_tls
ssl on
Should I use both? AFAIU "ssl on" is for connectiong via tcp/636 when "ssl
start_tls" is for tcp/389 connections.
And also don't run ldaps - the newer versions will negotiate SSL/TLS over
the standard port 389 - and actually will break if you try ldaps.
I tried both configurations of client/server - with ldaps and without one. I
have the same error doing ldapsearch -ZZ.
ldapsearch -v -x -ZZ -d 2 -b 'dc=orcsoftware,dc=com' '(objectclass=*)'
[skipped]
0600: 12 bb 5d d4 94 4c c1 bb f3 d7 72 ae 38 2d 2d c4 ..]..L....r.8--.
0610: 40 0c 93 1d 20 39 62 ac 7f 0f 55 a7 09 7c 93 75 @... 9b...U..|.u
TLS certificate verification: Error, self signed certificate in certificate
chai
n
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS: can't connect.
ldap_start_tls: Connect error (91)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE
:certificate verify failed
The certificate is generated accordingly the URL's instructions. while doing
ldapsearch it's downloaded to the cliend. And... error.
In slapd.log I can see (slapd.conf loglevel -1)
om IP=127.0.0.1:34091 (IP=0.0.0.0:389)
May 22 10:35:33 er slapd[24731]: [ID 732783 local4.debug] daemon: added 13r
May 22 10:35:33 er slapd[24731]: [ID 802679 local4.debug] daemon: activity
on:
May 22 10:35:33 er slapd[24731]: [ID 100000 local4.debug]
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=6 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=7 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=8 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=9 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 454241 local4.debug] daemon: activity
on 1
descriptors
May 22 10:35:33 er slapd[24731]: [ID 802679 local4.debug] daemon: activity
on:
May 22 10:35:33 er slapd[24731]: [ID 522297 local4.debug] 13r
May 22 10:35:33 er slapd[24731]: [ID 100000 local4.debug]
May 22 10:35:33 er slapd[24731]: [ID 694296 local4.debug] daemon: read
activity
on 13
May 22 10:35:33 er slapd[24731]: [ID 525477 local4.debug] connection_get(13)
May 22 10:35:33 er slapd[24731]: [ID 611214 local4.debug]
connection_get(13): go
t connid=1
May 22 10:35:33 er slapd[24731]: [ID 138202 local4.debug]
connection_read(13): c
hecking for input on id=1
May 22 10:35:33 er slapd[24731]: [ID 812316 local4.debug] ber_get_next on fd
13
failed errno=11 (Resource temporarily unavailable)
May 22 10:35:33 er slapd[24731]: [ID 147496 local4.debug] do_extended
May 22 10:35:33 er slapd[24731]: [ID 979271 local4.debug] do_extended:
oid=1.3.6
.1.4.1.1466.20037
May 22 10:35:33 er slapd[24731]: [ID 695693 local4.debug]
send_ldap_extended: er
r=0 oid= len=0
May 22 10:35:33 er slapd[24731]: [ID 324658 local4.debug]
send_ldap_response: ms
gid=1 tag=120 err=0
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=6 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=7 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=8 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=9 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 454241 local4.debug] daemon: activity
on 1
descriptors
May 22 10:35:33 er slapd[24731]: [ID 802679 local4.debug] daemon: activity
on:
May 22 10:35:33 er slapd[24731]: [ID 522297 local4.debug] 13r
May 22 10:35:33 er slapd[24731]: [ID 100000 local4.debug]
May 22 10:35:33 er slapd[24731]: [ID 694296 local4.debug] daemon: read
activity
on 13
May 22 10:35:33 er slapd[24731]: [ID 525477 local4.debug] connection_get(13)
May 22 10:35:33 er slapd[24731]: [ID 611214 local4.debug]
connection_get(13): go
t connid=1
May 22 10:35:33 er slapd[24731]: [ID 138202 local4.debug]
connection_read(13): c
hecking for input on id=1
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=6 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=7 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=8 active_threads=0 tvp=NULL
May 22 10:35:33 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=9 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 454241 local4.debug] daemon: activity
on 1
descriptors
May 22 10:35:34 er slapd[24731]: [ID 802679 local4.debug] daemon: activity
on:
May 22 10:35:34 er slapd[24731]: [ID 522297 local4.debug] 13r
May 22 10:35:34 er slapd[24731]: [ID 100000 local4.debug]
May 22 10:35:34 er slapd[24731]: [ID 694296 local4.debug] daemon: read
activity
on 13
May 22 10:35:34 er slapd[24731]: [ID 525477 local4.debug] connection_get(13)
May 22 10:35:34 er slapd[24731]: [ID 611214 local4.debug]
connection_get(13): go
t connid=1
May 22 10:35:34 er slapd[24731]: [ID 138202 local4.debug]
connection_read(13): c
hecking for input on id=1
May 22 10:35:34 er slapd[24731]: [ID 733216 local4.debug]
connection_read(13): T
LS accept error error=-1 id=1, closing
May 22 10:35:34 er slapd[24731]: [ID 734893 local4.debug]
connection_closing: re
adying conn=1 sd=13 for close
May 22 10:35:34 er slapd[24731]: [ID 330685 local4.debug] connection_close:
conn
=1 sd=13
May 22 10:35:34 er slapd[24731]: [ID 423323 local4.debug] daemon: removing
13
May 22 10:35:34 er slapd[24731]: [ID 850449 local4.debug] conn=1 fd=13
closed
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=6 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=7 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=8 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=9 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 454241 local4.debug] daemon: activity
on 1
descriptors
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=6 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=7 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=8 active_threads=0 tvp=NULL
May 22 10:35:34 er slapd[24731]: [ID 538834 local4.debug] daemon: select:
listen
=9 active_threads=0 tvp=NULL
I have the following lines regarding SSL/TLS in my client and server conf
files
# ldap.conf
host 127.0.0.1
base dc=orcsoftware,dc=com
uri ldap://127.0.0.1/
scop sub
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_groupdn cn=orc,ou=Group,dc=orcsoftware,dc=com
pam_member_attribute gidNumber
nss_base_passwd ou=People,dc=orcsoftware,dc=com?one
nss_base_group ou=Group,dc=orcsoftware,dc=com?one
ssl start_tls
# slapd.conf
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /usr/local/etc/openldap/ldapcert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/ldapkey.pem
TLSCACertificateFile /usr/local/etc/openldap/demoCA/cacert.pem
Also since you have the padl modules, make sure the sun ldap client daemon
is disabled and the sun /var/ldap config files aren't active.
when I do ldapsearch, PAM is not involved in the process, is it?
what about line in slapd.conf file:
# security ssf=1 update_ssf=112 simple_bind=64
If to uncomment and customize it, can it help?
-----Original Message-----
From: Alexei Monastyrnyi [mailto:alexeim@orcsoftware.com]
Sent: Wednesday, May 21, 2003 6:17 AM
To: Lawrence, Mike (White Plains)
Subject: Re: userPassword - if it's stored in {crypt} format, how do you
make ldappasswd keep it that way when a user changes it?
Hi Mike.
You wrote
I am also using SSL/TLS with
the pam padl and nss ldap modules.
I have a problem configuring my LDAP client and LDAP server for SSL/TLS
connection.
I'm running it on Solaris 9 box.
OpenLDAP 2.1.17
OpenSSL 0.9.7b
OpenSSH 3.6.1p1
pam_ldap-161
nss_ldap-205
How to make server to accept SSL/TLS connection and to make client to
connect via SSL/TLS?
Thanks a lot in advance for your time.
Alexei.