[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS and GSSAPI problems

To: openldap-software@OpenLDAP.org
Subject: Re: TLS and GSSAPI problems
From: Jiann-Ming Su <sujiannming@gmail.com>
Date: Wed, 14 Sep 2005 11:51:40 -0400
Content-disposition: inline
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pan7fTZh4NGFUSYNgiqccPR1biqwpO/Ak4QkNETexZbECz7OUtzro1GHA7Ea0NTrc1Z+JnJd24gyaqJpTrHZkhbyp92GUONrOxsCmUy9pBk4rUgAovNfr+Mi0vFxhPCOK13KCgOKgeOnieggUHyq95En3SRLvtnpf01K9R1RXCw=
In-reply-to: <561dc326050909161979be8e5b@mail.gmail.com>
References: <561dc326050909161979be8e5b@mail.gmail.com>

On 9/9/05, Jiann-Ming Su <sujiannming@gmail.com> wrote:
> I recently moved a test ldap server (Debian) from the public network
> to a private testing network.  In doing so, I created new certificates
> and signed them with my testing CA.  Before the move, both TLS and
> GSSAPI were working.  Now, when I try to connect with TLS, I get the
> following:
> 
>   ldap:~# ldapsearch -x -b 'dc=chbe,dc=bogus' -ZZ
>   ldap_start_tls: Connect error (-11)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>   ldap:~# ldapsearch -x -b 'dc=chbe,dc=bogus' -Z
>   ldap_start_tls: Connect error (-11)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>   ldap_bind: Can't contact LDAP server (-1)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> 
> I've tested openssl with s_client and s_server, and the certificates
> work fine.  I've updated my slapd.conf file to point to the new
> certificates.
> 

Okay, the TLS problem was because I was missing the ldap.conf (ldap
client) file.

> Also, when I try to do a GSSAPI query, I get:
> 
>   ldap:~# ldapsearch -Y GSSAPI '(uid=some_user)'
>   SASL/GSSAPI authentication started
>   ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
>         additional info: SASL(-1): generic failure: GSSAPI Error:
> Miscellaneous failure (No such file or directory)
> 

This is because the /etc/krb5.keytab was missing.

> Other than updating the slapd.conf with dc=private,dc=domain and
> pointing to the new certificates, did I miss something obvious?
> Again, both TLS and GSSAPI was working before I moved the server into
> a private testing environment.  Thanks for any tips.
> 

My primary test server had crashed, and I guess my backup server
wasn't as identically configured as I had thought.

-- 
Jiann-Ming Su
"I have to decide between two equally frightening options. 
 If I wanted to do that, I'd vote." --Duckman

References:
- TLS and GSSAPI problems
  - From: Jiann-Ming Su <sujiannming@gmail.com>

Prev by Date: Re: OL 2.3.7, ppolicy, how to unlock account?
Next by Date: Re: OL 2.3.7, ppolicy, how to unlock account?
Index(es):
- Chronological
- Thread