[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS still can't accept....ssl handshake problem



At 01:04 PM 5/21/2004, Mark wrote:
>s_server?
>im not sure what you mean...

see openssl(1).

>I can authenticate, login, do id users fine if i dont do the ldaps:///,

I don't know what "authenticate, login, do id" means.  Please talk
in terms of LDAP operations or OpenLDAP-provided LDAP command line
tools (e.g., slapd(8), ldapsearch(1), etc.) and their input/output.

>if i just go normal without encryption... but whenever i 
>run slapd with the -h ldaps:/// command, then i cant login.... if im logged in already, the id users still works..

If you start the server with only -h "ldaps:///" then how do
you expect it work without encryption?  By specifying only
-h "ldaps:///" you told it to only accept Secure LDAP
connections.  If you want slapd to accept LDAP and Secure
LDAP connections, you should specify "-h ldap:/// ldaps:///"
instead.

>i guess my question is which part, pam, nss, openldap..is the one not working here...if i can do id users, i thought i could login 
>as well...or are the 2 commands using different things..

If you are not typing "ldap..." to a command like prompt,
then you aren't using a OpenLDAP client.  If you have issues
with other clients, take those issues to lists supporting
those clients.  But before that, you might want to make sure
that OpenLDAP clients work properly.  (And if working
properly involves other systems, such as OpenSSL,
Cyrus SASL, Kerberos, etc., you should make sure they
are working first.)

>On May21, 12:23, Kurt D. Zeilenga wrote:
>> At 11:09 AM 5/21/2004, Mark wrote:
>> >so i tried to troubleshoot somewhat more..and i'm getting into this problem...
>> >
>> >slapd started with 
>> >
>> >/usr/depot/openldap/current/libexec/slapd -d 127 -u ldap -g ldap -h ldaps:/// -f /etc/depot/openldap/openldap/slapd.conf
>> >
>> >from the client end..if i do a ssl check on the certs,i get
>> >
>> >/usr/depot/openssl/current/bin/openssl s_client -connect needlefish.internal.foo.com:636 -showcerts -state -CAfile /etc/depot/openldap/certs/cacert.pem
>> 
>> >while on the server side it shows
>> 
>> I suggest you try s_server here first to eliminate any OpenSSL specific
>> problems.  Once you have s_client talking to s_server, then it should
>> be rather straight forward to translate your success (first with slapd
>> and then with ldapsearch) to OpenLDAP Software.
>> 
>> Kurt