[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP starts, but...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Je Mardo Marto 15 2005 22:13, Kurt D. Zeilenga skribis:
> I don't believe Pupeno has expressed this publicly yet.
> As far as I can tell, he's using s_client against slapd.
> Where's the evidence (or his statement) that s_client is
> working against s_server (on the systems he's having
> problems with)? If he's gotten s_client to work with
> s_server, and verify to report no errors... then he should
> say so.
I'm sorry, I've had some chat sessions with Quanah and I might have thought
I've posted something that I didn't.
> And if s_client/s_server are working, what about ldapsearch(1)
> to s_server?
I haven't tried it. Let's see.
I start the server:
# openssl s_server -accept 1234 -cert /etc/ssl/certificate.pem
- -key /etc/ssl/privatekey.pem
Using default temp DH parameters
ACCEPT
I run ldapsearch:
# ldapsearch -x -H ldaps://master.pupeno.com:1234
the server says:
- -----BEGIN SSL SESSION PARAMETERS-----
MHUCAQECAgMBBAIAOAQgWlBOzysTy23s7dCp0t3KMKXk4LtGT+8Hx0p6XyIoCDoE
MEcrHqRjqpNkTaR4kbZc5wzdX08SDJm7er6I+/6lD3qGiD9ozU9R9OsJyb/aoVs0
K6EGAgRCN5VrogQCAgEspAYEBAEAAAA=
- -----END SSL SESSION PARAMETERS-----
Shared
ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:DHE-DSS-RC4-SHA:RC4-SHA:RC4-MD5:EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP1024-RC4-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
CIPHER is DHE-DSS-AES256-SHA
0
`
and that's all. Do you see anything wrong here ?
Just for the record:
s_client -> s_server [works]
any browser -> apache [works]
s_client -> slapd [doesn't work]
ldapsearch -> slapd [doesn't work]
> >The OpenSSL verify command with the trusted CA from cacert.org works.
>
> Looks to me (from his OpenSSL post) that a verify command is
> returning errors.
I believe the errors are because there's no certification for cacert.pem,
well, after all, it's a root certificate, the chain starts somewhere. Or do
you know how to solve those errors ? If I run the command this way:
# openssl verify -CAfile /etc/ssl/certs/cacert.pem -purpose sslserver
- -verbose/etc/ssl/certificate.pem
/etc/ssl/certificate.pem: OK
I don't get any error.
> >However, using the openssl client to request the cert from his OpenLDAP
> > server does not return a cert. Testing the same thing against my ldap
> > servers returned a cert.
>
> Well, if ldapsearch(1) works to s_server on his system, and
> works against your server, I'd guess his server runtime
> environment hosed. File permissions or something.
I had the a file permissions problems with the key and the certificate before,
in that case, slapd doesn't even start.
Thank you.
- --
Pupeno: pupeno@pupeno.com - http://pupeno.com
Reading Science Fiction ? http://sfreaders.com.ar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFCN5bLfW48a9PWGkURAiVJAJwKpB0RI+CygayIVt8XpnLzcM8gBQCeLNiE
9koV79HUeBdM7vBZ8DJzEqk=
=g9P/
-----END PGP SIGNATURE-----