[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem connecting using TLS



Robert Fitzpatrick wrote:
[...]
[root /root]# netstat -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.1.16:636 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:389 0.0.0.0:* LISTEN
[...]
[robert@columbus robert]$ ldapsearch -x -Z -b
"dc=hermes,dc=webtent,dc=org" -D
"cn=Manager,dc=hermes,dc=webtent,dc=org" -W "(ObjectClass=*)" -h
"hermes.webtent.org"
ldap_start_tls: Can't contact LDAP server
Enter LDAP Password:
ldap_bind: Can't contact LDAP server

Any ideas why I can't get connected?

1: Does it work if you try to connect on port 389 using TLS (that's what the -Z you're using is for) with a client on the server itself?


2: Do you have the uri or host/port details in ldaprc? Because you arent giving them on the command line (-H 'ldap://hermes.webtent.org/ ldaps://hermes.webtent.org/')

3: I don't see any subject or issuer in your s_client connect:

Certificate chain
0 s:/C=NL/ST=Zuidholland/O=Billy/OU=Billy/CN=localhost/emailAddress=hostmaster@billy.demon.nl
i:/C=NL/ST=Zuidholland/L=Nieuwveen/O=Billy/OU=Billy/CN=localhost/emailAddress=hostmaster@billy.demon.nl
1 s:/C=NL/ST=Zuidholland/L=Nieuwveen/O=Billy/OU=Billy/CN=localhost/emailAddress=hostmaster@billy.demon.nl
i:/C=NL/ST=Zuidholland/L=Nieuwveen/O=Billy/OU=Billy/CN=localhost/emailAddress=hostmaster@billy.demon.nl
etc.


4: When you make the certs, be sure that the CN of the subject (s:) really is the FQDN of the machine in question (check on linux with 'hostname -f')

And those are just for starters ;)

5: You shouldn't need any client cert, provided you haven't told the server to insist on one.

--Tonni

Who's had it all himeslf, in the beginning.

--
Tony Earnshaw

Once the camel's head has entered your tent,
it's very difficult to stop the rest of the
animal from following it

http://www.billy.demon.nl
Mail: tonye-at-billy.demon.nl