[Date Prev][Date Next] [Chronological] [Thread] [Top]

solaris 8 client authentication to openldap (TLS issue)



Hi,

I've been stucked with this proble for quite long.
It might be more appropriate to post this question in
PAM_LDAP forum, I did...but well....I haven't managed
to solve my problems after trying a few suggestions
from them. One of them suggested to post to
openldap...

So, this is my problem:
I would like to get solaris 8 machine to authenticate
to an openldap server in redhat linux using pam_ldap
from PADL. So far, I've been successful with the
authentication without TLS/SSL securing the connection
between the client and the server. Now, I would like
ti include TLS/SSL...

I installed the following packages:

1. in redhat linux:
- openldap-2.1.30 (compiled with-tls, TLS/SSL
connection has been tested with the ldapclient on the
same machine)
- openssl-0.9.6b

2. in solaris 8:
- pam_ldap-169
- openldap-2.1.30
- openssl-0.9.6l

Now the problem is that the server complains about
wrong version number !!! What does it mean ?
Do I need to install the same version of openssl or
openldap in both the server and the client ? I've
tried  with linux client, it works though it has
different version of openssl with the server...*sigh*

I generated the server's and client's certificates and
keys on the server, and then move the CA, client's
cert and key over to solaris client.

Below is an excerpt of debug message from the server:
------------------------------------------------------

daemon: activity on 1 descriptors
daemon: new connection on 10
ldap_pvt_gethostbyname_a: host=authserver, r=0
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ber_scanf fmt (m) ber:
daemon: added 10r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 10
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource
temporarily unavailable)
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client
certificate A
TLS trace: SSL_accept:error in SSLv3 read client
certificate A
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:error in SSLv3 read client
certificate A
TLS: can't accept.
TLS: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number s3_pkt.c:297
connection_read(10): TLS accept error error=-1 id=0,
closing
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
daemon: removing 10
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL

while, in /var/adm/messages:
----------------------------
pam_ldap: ldap_starttls_s: Connect error

/etc/ldap.conf:
---------------
host adianto.com
base dc=adianto,dc=com
uri ldap://adianto.com/
binddn cn=Manager,dc=adianto,dc=com
bindpw secret
port 389
scope sub
pam_filter objectclass=posixaccount
pam_login_attribute uid
ssl start_tls
tls_cacertfile /usr/lara/certs/cacert.pem

The TLS configuration in slapd.conf :
-------------------------------------
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cert/cacert.pem
TLSCertificateFile /etc/openldap/cert/servercrt.pem
TLSCertificateKeyFile /etc/openldap/cert/serverkey.pem

thanks in advance,
-lara-

=====
------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------


		
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail