[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: My OpenLDAP doesn't listen to port 636 ...



Hi, Hallvard,

You're right. Now it listen to port 636... Thanks!

But now the problem is that the ldapsearch meet error.

Client side output is:

qsilver@marathon:~/workshop/openldap-2.1.4/servers/slapd> ldapsearch -Z -h marathon -b 'dc=prc,dc=sun,dc=com'
ldap_start_tls: Connect error (91)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed



And the server side output is:

connection_get(7): got connid=2
connection_read(7): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ber_get_next on fd 7 failed errno=11 (Resource temporarily unavailable)
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 7
connection_get(7): got connid=2
connection_read(7): checking for input on id=2
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(7): got connid=2
connection_read(7): checking for input on id=2
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A

TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1047
connection_read(7): TLS accept error error=-1 id=2, closing
connection_closing: readying conn=2 sd=7 for close
connection_close: conn=2 sd=7


Don't know if the error message refers to the CA cert for client side or server side. Actually, I've set the correct path of CA cert in slapd.conf for slapd, and use " TLSVerifyClient never" to prevent asking for client's cert. Something must be wrong, but where?

BTW, where can I find more information about OpenLDAP besides the 'Admin Guide'?

Thanks again.
Calvin

On Fri, 2004-04-09 at 19:15, Hallvard B Furuseth wrote:
Calvin Liu writes:
> I've configured my slapd to use SSL. The startup is ok. And I can query
> with command "ldapsearch -x -h <host> -b ''". But actually, it doesn't
> listen to port 636.

slapd.conf isn't everything; you need to tell slapd to listen to SSL on
the command line too:

  libexec/slapd -h 'ldap:/// ldaps:///'