[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ldaps does not authenticate
I'm trying to use openldap to authenticate over ldaps, I've created my
own certificate and added the following lines to my slapd.conf
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem
I also added this line to my ldap.conf on the clients machine
TLS_CACERT /usr/local/etc/openldap/cacert.pem
when I run the command slapd -d9 -h "ldaps:///" and try to authenticate a linux machine that has my generated certificate i get the follwoing error on the client:
##################################
[root@mymachine ~]# su testuser
su: incorrect password
[root@mymachine ~]#
####################################
the debug output during the transaction is:
############################################################
====> cache_return_entry_r( 1 ): returned (0)
=> id2entry_r( 18 )
====> cache_find_entry_id( 18 ) "uid=testuser,ou=Users,dc=TestDomain,dc=com" (found) (1 tries)
<= id2entry_r( 18 ) 0xf89f16f0 (cache)
=> send_search_entry: dn="uid=testuser,ou=Users,dc=TestDomain,dc=com"
ber_flush: 394 bytes to sd 8
<= send_search_entry
====> cache_return_entry_r( 18 ): returned (0)
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
send_ldap_result: conn=5 op=4 p=3
send_ldap_response: msgid=5 tag=101 err=0
ber_flush: 14 bytes to sd 8
daemon: activity on 1 descriptors
daemon: new connection on 15
daemon: added 15r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 15r
daemon: read activity on 15
connection_get(15): got connid=6
connection_read(15): checking for input on id=6
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(15): unable to get TLS client DN error=49 id=6
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 8r
daemon: read activity on 8
connection_get(8): got connid=5
connection_read(8): checking for input on id=5
ber_get_next
ber_get_next: tag 0x30 len 198 contents:
ber_get_next
ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable)
do_search
ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <dc=testdomain,dc=com>
=> ldap_bv2dn(dc=testdomain,dc=com,0)
<= ldap_bv2dn(dc=testdomain,dc=com,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=testdomain,dc=com,272)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=testdomain,dc=com,272)=0
<<< dnPrettyNormal: <dc=testdomain,dc=com>, <dc=testdomain,dc=com>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=5 op=5 dn="[anonymous]"
=> ldbm_back_search
dn2entry_r: dn: "dc=testdomain,dc=com"
=> dn2id( "dc=testdomain,dc=com" )
====> cache_find_entry_ndn2id("dc=testdomain,dc=com"): 1 (1 tries)
<= dn2id 1 (in cache)
=> id2entry_r( 1 )
====> cache_find_entry_id( 1 ) "dc=TestDomain,dc=com" (found) (1 tries)
<= id2entry_r( 1 ) 0xf8a237b8 (cache)
search_candidates: base="dc=testdomain,dc=com" s=2 d=0
=> filter_candidates
=> list_candidates 0xa0
=> filter_candidates
=> dn2idl( "@dc=testdomain,dc=com" )
<= filter_candidates 20
=> filter_candidates
=> list_candidates 0xa1
=> filter_candidates
=> equality_candidates
=> ldbm_cache_open( "objectClass.dbb", 73, 600 )
<= ldbm_cache_open (cache 3)
=> key_read
<= index_read 0 candidates
<= equality_candidates NULL
<= equality_candidates 0
<= filter_candidates 0
=> filter_candidates
=> list_candidates 0xa0
=> filter_candidates
=> equality_candidates
=> ldbm_cache_open( "objectClass.dbb", 73, 600 )
<= ldbm_cache_open (cache 3)
=> key_read
<= index_read 4 candidates
<= equality_candidates 4
<= filter_candidates 4
=> filter_candidates
=> equality_candidates
=> ldbm_cache_open( "uid.dbb", 73, 600 )
<= ldbm_cache_open (cache 4)
=> key_read
<= index_read 1 candidates
<= equality_candidates 1
<= filter_candidates 1
<= list_candidates 1
<= filter_candidates 1
<= list_candidates 1
<= filter_candidates 1
<= list_candidates 1
<= filter_candidates 1
====> cache_return_entry_r( 1 ): returned (0)
=> id2entry_r( 18 )
====> cache_find_entry_id( 18 ) "uid=testuser,ou=Users,dc=TestDomain,dc=com" (found) (1 tries)
<= id2entry_r( 18 ) 0xf89f16f0 (cache)
=> send_search_entry: dn="uid=testuser,ou=Users,dc=TestDomain,dc=com"
ber_flush: 394 bytes to sd 8
<= send_search_entry
====> cache_return_entry_r( 18 ): returned (0)
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
send_ldap_result: conn=5 op=5 p=3
send_ldap_response: msgid=6 tag=101 err=0
ber_flush: 14 bytes to sd 8
daemon: activity on 2 descriptors
daemon: activity on: 8r 15r
daemon: read activity on 8
connection_get(8): got connid=5
connection_read(8): checking for input on id=5
ber_get_next
ber_get_next on fd 8 failed errno=0 (Success)
connection_read(8): input error=-2 id=5, closing.
connection_closing: readying conn=5 sd=8 for close
connection_close: conn=5 sd=8
daemon: removing 8
TLS trace: SSL3 alert write:warning:close notify
daemon: read activity on 15
connection_get(15): got connid=6
connection_read(15): checking for input on id=6
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 15 failed errno=0 (Success)
connection_read(15): input error=-2 id=6, closing.
connection_closing: readying conn=6 sd=15 for close
connection_close: conn=6 sd=15
daemon: removing 15
TLS trace: SSL3 alert write:warning:close notify
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
##################################################################3
The packet transaction during this time as outputed from ethereal:
####################################################################
No. Time Source Destination Protocol Info
1079 5.825733 172.16.5.84 172.16.5.109 TCP 1110 > ldaps [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=27335451 TSER=0 WS=2
No. Time Source Destination Protocol Info
1080 5.826043 172.16.5.109 172.16.5.84 TCP ldaps > 1110 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=4658052 TSER=27335451 WS=2
No. Time Source Destination Protocol Info
1081 5.826154 172.16.5.84 172.16.5.109 TCP 1110 > ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=27335452 TSER=4658052
No. Time Source Destination Protocol Info
1095 5.851707 172.16.5.84 172.16.5.109 SSLv2 Client Hello
No. Time Source Destination Protocol Info
1096 5.851995 172.16.5.109 172.16.5.84 TCP ldaps > 1110 [ACK] Seq=1 Ack=143 Win=5792 Len=0 TSV=4658126 TSER=27335477
No. Time Source Destination Protocol Info
1139 5.912199 172.16.5.109 172.16.5.84 TLS Server Hello, Certificate, Server Hello Done
No. Time Source Destination Protocol Info
1140 5.912418 172.16.5.84 172.16.5.109 TCP 1110 > ldaps [ACK] Seq=143 Ack=964 Win=7768 Len=0 TSV=27335538 TSER=4658249
No. Time Source Destination Protocol Info
1143 5.917665 172.16.5.84 172.16.5.109 TLS Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
No. Time Source Destination Protocol Info
1144 5.917866 172.16.5.109 172.16.5.84 TCP ldaps > 1110 [ACK] Seq=964 Ack=341 Win=6864 Len=0 TSV=4658254 TSER=27335543
No. Time Source Destination Protocol Info
1205 6.000107 172.16.5.109 172.16.5.84 TLS Change Cipher Spec, Encrypted Handshake Message
No. Time Source Destination Protocol Info
1206 6.000466 172.16.5.84 172.16.5.109 TLS Application Data, Application Data
No. Time Source Destination Protocol Info
1207 6.000871 172.16.5.109 172.16.5.84 TCP ldaps > 1110 [ACK] Seq=1023 Ack=431 Win=6864 Len=0 TSV=4658334 TSER=27335626
No. Time Source Destination Protocol Info
1242 6.083182 172.16.5.109 172.16.5.84 TLS Application Data, Application Data
No. Time Source Destination Protocol Info
1243 6.083653 172.16.5.84 172.16.5.109 TLS Application Data, Application Data
No. Time Source Destination Protocol Info
1244 6.083941 172.16.5.109 172.16.5.84 TCP ldaps > 1110 [ACK] Seq=1113 Ack=697 Win=7936 Len=0 TSV=4658425 TSER=27335709
No. Time Source Destination Protocol Info
1447 6.426646 172.16.5.109 172.16.5.84 TLS Application Data, Application Data
No. Time Source Destination Protocol Info
1470 6.453408 172.16.5.109 172.16.5.84 TLS Application Data, Application Data
No. Time Source Destination Protocol Info
1484 6.465891 172.16.5.84 172.16.5.109 TCP 1110 > ldaps [ACK] Seq=697 Ack=1661 Win=9692 Len=0 TSV=27336092 TSER=4658842
No. Time Source Destination Protocol Info
1854 8.705639 172.16.5.84 172.16.5.109 TLS Application Data, Application Data
No. Time Source Destination Protocol Info
1855 8.705922 172.16.5.109 172.16.5.84 TCP ldaps > 1110 [ACK] Seq=1661 Ack=963 Win=9008 Len=0 TSV=4661351 TSER=27338332
No. Time Source Destination Protocol Info
2024 8.986494 172.16.5.109 172.16.5.84 TLS Application Data, Application Data
No. Time Source Destination Protocol Info
2025 8.986656 172.16.5.84 172.16.5.109 TCP 1110 > ldaps [ACK] Seq=963 Ack=2119 Win=11620 Len=0 TSV=27338613 TSER=4661688
No. Time Source Destination Protocol Info
2067 9.042867 172.16.5.109 172.16.5.84 TLS Application Data, Application Data
No. Time Source Destination Protocol Info
2068 9.042957 172.16.5.84 172.16.5.109 TCP 1110 > ldaps [ACK] Seq=963 Ack=2209 Win=11620 Len=0 TSV=27338669 TSER=4661756
No. Time Source Destination Protocol Info
2069 9.043806 172.16.5.84 172.16.5.109 TLS Application Data, Application Data
No. Time Source Destination Protocol Info
2070 9.044165 172.16.5.109 172.16.5.84 TCP ldaps > 1110 [ACK] Seq=2209 Ack=1245 Win=9008 Len=0 TSV=4661761 TSER=27338670
No. Time Source Destination Protocol Info
2256 9.324858 172.16.5.109 172.16.5.84 TLS Application Data, Application Data
No. Time Source Destination Protocol Info
2272 9.356081 172.16.5.109 172.16.5.84 TLS Application Data, Application Data
No. Time Source Destination Protocol Info
2273 9.356172 172.16.5.84 172.16.5.109 TCP 1110 > ldaps [ACK] Seq=1245 Ack=2501 Win=13544 Len=0 TSV=27338983 TSER=4662090
No. Time Source Destination Protocol Info
2274 9.357729 172.16.5.84 172.16.5.109 TCP 1111 > ldaps [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=27338984 TSER=0 WS=2
No. Time Source Destination Protocol Info
2275 9.358104 172.16.5.109 172.16.5.84 TCP ldaps > 1111 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=4662124 TSER=27338984 WS=2
No. Time Source Destination Protocol Info
2276 9.358218 172.16.5.84 172.16.5.109 TCP 1111 > ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=27338985 TSER=4662124
No. Time Source Destination Protocol Info
2312 9.419008 172.16.5.84 172.16.5.109 SSLv2 Client Hello
No. Time Source Destination Protocol Info
2313 9.419283 172.16.5.109 172.16.5.84 TCP ldaps > 1111 [ACK] Seq=1 Ack=143 Win=5792 Len=0 TSV=4662253 TSER=27339045
No. Time Source Destination Protocol Info
2329 9.440490 172.16.5.109 172.16.5.84 TLS Server Hello, Certificate, Server Hello Done
No. Time Source Destination Protocol Info
2330 9.440697 172.16.5.84 172.16.5.109 TCP 1111 > ldaps [ACK] Seq=143 Ack=964 Win=7768 Len=0 TSV=27339067 TSER=4662276
No. Time Source Destination Protocol Info
2331 9.442980 172.16.5.84 172.16.5.109 TLS Alert (Level: Fatal, Description: Bad Certificate)
No. Time Source Destination Protocol Info
2354 9.476487 172.16.5.109 172.16.5.84 TCP ldaps > 1111 [FIN, ACK] Seq=964 Ack=150 Win=5792 Len=0 TSV=4662307 TSER=27339069
No. Time Source Destination Protocol Info
2371 9.516067 172.16.5.84 172.16.5.109 TCP 1111 > ldaps [ACK] Seq=150 Ack=965 Win=7768 Len=0 TSV=27339143 TSER=4662307
No. Time Source Destination Protocol Info
3107 14.123358 172.16.5.84 172.16.5.109 TLS Application Data, Application Data
No. Time Source Destination Protocol Info
3108 14.123807 172.16.5.109 172.16.5.84 TCP ldaps > 1110 [ACK] Seq=2501 Ack=1511 Win=9008 Len=0 TSV=4667507 TSER=27343751
No. Time Source Destination Protocol Info
3126 14.152014 172.16.5.109 172.16.5.84 TLS Application Data, Application Data
No. Time Source Destination Protocol Info
3131 14.158697 172.16.5.109 172.16.5.84 TLS Application Data, Application Data
No. Time Source Destination Protocol Info
3132 14.159480 172.16.5.84 172.16.5.109 TLS Application Data, Application Data
No. Time Source Destination Protocol Info
3133 14.159751 172.16.5.109 172.16.5.84 TCP ldaps > 1110 [ACK] Seq=3049 Ack=1793 Win=9008 Len=0 TSV=4667569 TSER=27343787
No. Time Source Destination Protocol Info
3187 14.276238 172.16.5.109 172.16.5.84 TLS Application Data, Application Data
No. Time Source Destination Protocol Info
3190 14.282391 172.16.5.109 172.16.5.84 TLS Application Data, Application Data
No. Time Source Destination Protocol Info
3213 14.315758 172.16.5.84 172.16.5.109 TCP 1110 > ldaps [ACK] Seq=1793 Ack=3341 Win=17396 Len=0 TSV=27343944 TSER=4667669
No. Time Source Destination Protocol Info
3914 18.604881 172.16.5.84 172.16.5.109 TCP 1111 > ldaps [FIN, ACK] Seq=150 Ack=965 Win=7768 Len=0 TSV=27348234 TSER=4662307
No. Time Source Destination Protocol Info
3915 18.604908 172.16.5.84 172.16.5.109 TCP 1111 > ldaps [RST, ACK] Seq=151 Ack=965 Win=7768 Len=0 TSV=27348234 TSER=4662307
No. Time Source Destination Protocol Info
3918 18.606095 172.16.5.84 172.16.5.109 TCP 1110 > ldaps [FIN, ACK] Seq=1793 Ack=3341 Win=17396 Len=0 TSV=27348235 TSER=4667669
No. Time Source Destination Protocol Info
3919 18.611358 172.16.5.109 172.16.5.84 TCP ldaps > 1111 [ACK] Seq=965 Ack=151 Win=5792 Len=0 TSV=4672667 TSER=27348234
No. Time Source Destination Protocol Info
3920 18.611469 172.16.5.84 172.16.5.109 TCP 1111 > ldaps [RST] Seq=151 Ack=518357715 Win=0 Len=0
No. Time Source Destination Protocol Info
3934 18.627992 172.16.5.109 172.16.5.84 TLS Encrypted Alert
No. Time Source Destination Protocol Info
3935 18.628094 172.16.5.84 172.16.5.109 TCP 1110 > ldaps [RST] Seq=1794 Ack=515703626 Win=0 Len=0
############################################################################################
I'm running Fedora Core 3, with $OpenLDAP: slapd 2.2.13
I've never used ldap before and i'm trying to build a secure communication channel between my ldap server and other services that are going to use it, such SAMBA.
even when i use TLS/SSL instead of ldaps i get the same errors, i created the certificated using the appropriate DN and copied it to the client machines.
can someone please tell me what am i doing wrong, i'll supply any additional info if you feel the information is insuffecient.