[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS
Hi!
I have az error with LDAP starting over TLS. Some additional
information:
- I'm using Debian Sarge Linux
- testserver:/etc/ldap# ifconfig
eth1 Link encap:Ethernet HWaddr 00:E0:7D:E8:3D:58
inet addr:10.0.0.185 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:150597 errors:0 dropped:0 overruns:0 frame:0
TX packets:38350 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:21494324 (20.4 MiB) TX bytes:5396321 (5.1 MiB)
Interrupt:11 Base address:0xa000
- testserver:/etc/ldap# host 10.0.0.185
Name: testserver.aitia
Address: 10.0.0.185
- testserver:/etc/ldap# openssl req -new -x509 -nodes -out slapd.pem
-keyout
slapdkey.pem -days 365
Generating a 1024 bit RSA private key
.....................................................................++++++
.....................++++++
writing new private key to 'slapdkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:HU
State or Province Name (full name) [Some-State]:Hungary
Locality Name (eg, city) []:Budapest
Organization Name (eg, company) [Internet Widgits Pty Ltd]:AITIA Rt.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:testserver.aitia
Email Address []:root@aitia.ai
I have tried with CA.sh, but the same was the problem
(http://www.openldap.org/faq/data/cache/185.html)
- I have modified the /etc/defaults/slapd with SLAPD_OPTIONS="-d 1 -h
ldaps:///"
At the end
testserver:/etc/ldap# /etc/init.d/slapd restart
Stopping OpenLDAP: slapd.
Starting OpenLDAP: slapd - failed.
The operation failed but no output was produced. For hints on what went
wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
try running the daemon in Debug mode like via "slapd -d 16383" (warning:
this will create copious output).
But If I run the slapd like this
slapd -d 1 -h ldaps:/// -f /etc/ldap/slapd.conf &
It started, but to search responded:
ldapsearch -x -H ldaps://localhost/ -b 'dc=aitia,dc=intra'
ldap_pvt_gethostbyname_a: host=testserver, r=0
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ber_scanf fmt (m) ber:
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
TLS certificate verification: depth: 0, err: -49, subject: -unknown-,
issuer: -unknown-
TLS certificate verification: Error, Unknown error
connection_read(12): unable to get TLS client DN error=49 id=0
ldap_bind: Can't contact LDAP server (81)
additional info: TLS: hostname does not match CN in peer
certificate
testserver:/etc/ldap# connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next on fd 12 failed errno=104 (Connection reset by peer)
connection_read(12): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=12 for close
connection_close: conn=0 sd=12
What meen's this :
TLS certificate verification: depth: 0, err: -49, subject: -unknown-,
issuer: -unknown-
TLS certificate verification: Error, Unknown error
connection_read(12): unable to get TLS client DN error=49 id=0
ldap_bind: Can't contact LDAP server (81)
additional info: TLS: hostname does not match CN in peer
why the hostname does't match?!
Best Regards
bzg
- Follow-Ups:
- Re: TLS
- From: Tony Earnshaw <tonye@billy.demon.nl>
- Re: TLS
- From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>