[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS/SSL error when authenticating



I'm trying to complete the LDAP setup to use TLS/SSL, its already working without this feature but i need it to run with TLS/SSL. but it isnt working., you can see the debuggers output below to see the exact error that occurs:

my slapd.conf file is this
##############################
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

TLSCertificateFile      /etc/openldap/cert/servercert.pem
TLSCertificateKeyFile   /etc/openldap/cert/serverkey.pem
TLSCACertificateFile    /etc/openldap/cert/cacert.pem

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        bdb
suffix          "dc=ldaptest,dc=batelco,dc=jo"
rootdn          "cn=Manager,dc=ldaptest,dc=batelco,dc=jo"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw                secret
rootpw                  {SSHA}6knlCh6UiA1U2EH9zgVCYddyT5wp/e7I

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM
##########################################################################

my /etc/openldap/ldap.conf file is this:
#######################################
HOST 127.0.0.1
BASE dc=ldaptest,dc=batelco,dc=jo
TLS_CACERT /etc/openldap/cert/cacert.pem
#######################################

my clients "another linux machine" ldap.conf file is this:
######################################
pam_password md5
port 636
host ldaptest.batelco.jo
base dc=ldaptest,dc=batelco,dc=jo
ssl on
TLS_CACERT /misc/cacert.pem
######################################

i'm running slapd on both port 389 and 636 using the command <slapd -d79 -u ldap -h "ldap:/// ldaps:///", what i get from the debugger is the following:
##################################################
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 30 .0
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1052
connection_read(16): TLS accept error error=-1 id=8, closing
connection_closing: readying conn=8 sd=16 for close
connection_close: conn=8 sd=16
daemon: removing 16
####################################################


the su command for a user in the ldap returns the follwoing:
>>[root@waka ~]# su test
>>su: incorrect password
>>[root@waka ~]#
the result incorrect password is given without entering a password.
i generated a CA using the openssl tools, my servers FQDN is "ldaptest.batelco.jo" and the suffix of the ldap slapd.conf is also "ldaptest.batelco.jo" so i generated the keys using that FQDN, i also follwoed the steps outlined in the openldap document "http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#4.0"; and other FAQ's and HOW-TOs, acn anyone please elp me, i'm at the end of my rope.