[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: problem with ldapsearch/TLS ( or Fedora Core 2?? )


yes.. it is on port 389 and I have figured out the problem...

I have to add .ldaprc under the user's home directory who run ldapsearch ( ie ~/.ldaprc ) with the following two lines in the file.

tls_cert /etc/openldap/certs/myhost.crt
tls_key /etc/openldap/certs/myhost.key



"Tay, Gary" <Gary_Tay@platts.com>

10/24/2004 07:15 PM

To
"Barrow H Kwan" <bhkwan@thoughtworks.com>, "Jeff Warnica <jeffw"
cc
"OpenLdap Software List" <openldap-software@OpenLDAP.org>, <owner-openldap-software@OpenLDAP.org>
Subject
RE: problem with ldapsearch/TLS  ( or Fedora Core 2?? )





Looking at the last statment of the debugging output.
 
If you were to search Google using info: "error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure".
 
You would notice that Howard has highlighted a common misunderstanding among many have: TLS uses port 389 not 636:
http://www.openldap.org/lists/openldap-software/200404/msg00364.html
 
Could you pls check if there is a port 636 statement in ldap.conf (at client or server if u do local test), that should be changed to "PORT 389" or delete this "PORT 636" statement to use the implied default which is PORT 389.
 
slapd should also be listening on port 389.
 
Gary
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org [mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Barrow H Kwan
Sent: Saturday, October 23, 2004 10:15 AM
To: Jeff Warnica <jeffw
Cc: OpenLdap Software List; owner-openldap-software@OpenLDAP.org
Subject: Re: problem with ldapsearch/TLS ( or Fedora Core 2?? )

I already had this in /etc/openldap/ldap.conf
...
...
tls_cacert /etc/openldap/cacert/ca.crt
tls_cacertdir /etc/openldap/cacert
tls_cert /etc/openldap/certs/myhost.crt
tls_key /etc/openldap/certs/myhost.key
..

ldapsearch -d -1 got this..
....
,.,
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
tls_write: want=146, written=146
 0000:  16 03 01 00 07 0b 00 00  03 00 00 00 16 03 01 00   ................
 0010:  46 10 00 00 42 00 40 32  d1 67 8f 2d 2d 38 73 33   F...B.@2.g.--8s3
 0020:  05 3b 44 d5 30 a8 74 18  54 75 7e 86 24 81 ce fb   .;D.0.t.Tu~.$...
 0030:  00 dc 3a 39 f7 df 7e db  68 93 02 e9 0d 00 41 e6   ..:9..~.h.....A.
 0040:  23 06 8b c7 37 0b 22 82  01 d0 46 a2 1b 50 4f 03   #...7."...F..PO.
 0050:  f8 d4 65 23 97 a1 fc 14  03 01 00 01 01 16 03 01   ..e#............
 0060:  00 30 74 65 d3 0a 54 f2  36 72 c4 48 30 b4 0e f1   .0te..T.6r.H0...
 0070:  60 36 0d 40 9a 4d 07 b9  60 c1 65 a8 fe d7 29 85   `6.@.M..`.e...).
 0080:  b6 ad f3 da b4 7f ba 36  df d3 95 90 d4 00 a8 f4   .......6........
 0090:  95 73                                              .s
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=5
 0000:  15 03 01 00 02                                     .....
tls_read: want=2, got=2
 0000:  02 28                                              .(
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
       additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure


Barrow


Jeff Warnica <jeffw@chebucto.ns.ca>
Sent by: owner-openldap-software@OpenLDAP.org

10/22/2004 07:50 PM


To
Barrow H Kwan <bhkwan@thoughtworks.com>
cc
OpenLdap Software List <openldap-software@OpenLDAP.org>
Subject
Re: problem with ldapsearch/TLS  ( or Fedora Core 2?? )







On Thu, 2004-21-10 at 19:16 -0700, Barrow H Kwan wrote
>
> [root@myhost root]# ldapsearch -H ldap://myhost.domain.com -D
> uid=user1,ou=People,dc=Corporate,dc=Domain,dc=COM -x -W -ZZ
> ldap_start_tls: Connect error (91)
>        additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
<snip>
> : is it a problem with ldapsearch ?


Unlikely. Does ldapsearch know about your CA certs? Note
that /etc/ldap.conf is for pam/nss _only_, everything else uses,
ie, /erc/openldap/ldap.conf ... at least with all the RH/Fedora RPMs.

If that doesn't work, run ldapsearch with "-d -1" and see if that gives
any hits.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature