[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS with self signed certs

I am having issues getting TLS to work. Openldap was installed via RPMs from http://anorien.csc.warwick.ac.uk/mirrors/buchan/openldap/rhel4/

some output from /var/log/ldap2.3/ldap.log, I can include all the logs needed.

Sep 11 16:58:42 jaffa slapd2.3[16942]: daemon: read active on 15
Sep 11 16:58:42 jaffa slapd2.3[16942]: connection_get(15)
Sep 11 16:58:42 jaffa slapd2.3[16942]: connection_get(15): got connid=48
Sep 11 16:58:42 jaffa slapd2.3[16942]: connection_read(15): checking for input on id=48
Sep 11 16:58:42 jaffa slapd2.3[16942]: connection_read(15): unable to get TLS client DN, error=49 id=48
Sep 11 16:58:42 jaffa slapd2.3[16942]: conn=48 fd=15 TLS established tls_ssf=256 ssf=256
Sep 11 16:58:42 jaffa slapd2.3[16942]: daemon: select: listen=7 active_threads=0 tvp=zero
Sep 11 16:58:42 jaffa slapd2.3[16942]: daemon: select: listen=8 active_threads=0 tvp=zero
Sep 11 16:58:42 jaffa slapd2.3[16942]: daemon: select: listen=9 active_threads=0 tvp=zero
Sep 11 16:58:42 jaffa slapd2.3[16942]: daemon: select: listen=10 active_threads=0 tvp=zero
Sep 11 16:58:42 jaffa slapd2.3[16942]: daemon: activity on 1 descriptor
Sep 11 16:58:42 jaffa slapd2.3[16942]: daemon: activity on:
Sep 11 17:09:49 jaffa slapd2.3[16942]: 15r
Sep 11 17:09:49 jaffa slapd2.3[16942]:
Sep 11 17:09:49 jaffa slapd2.3[16942]: daemon: read active on 15
Sep 11 17:09:49 jaffa slapd2.3[16942]: connection_get(15)
Sep 11 17:09:49 jaffa slapd2.3[16942]: connection_get(15): got connid=58
Sep 11 17:09:49 jaffa slapd2.3[16942]: connection_read(15): checking for input on id=58
Sep 11 17:09:49 jaffa slapd2.3[16942]: connection_read(15): unable to get TLS client DN, error=49 id=58
Sep 11 17:09:49 jaffa slapd2.3[16942]: conn=58 fd=15 TLS established tls_ssf=256 ssf=256
Sep 11 17:09:49 jaffa slapd2.3[16942]: daemon: select: listen=7 active_threads=0 tvp=zero
Sep 11 17:09:49 jaffa slapd2.3[16942]: daemon: select: listen=8 active_threads=0 tvp=zero
Sep 11 17:09:49 jaffa slapd2.3[16942]: daemon: select: listen=9 active_threads=0 tvp=zero
Sep 11 17:09:49 jaffa slapd2.3[16942]: daemon: select: listen=10 active_threads=0 tvp=zero
Sep 11 17:09:49 jaffa slapd2.3[16942]: daemon: activity on 1 descriptor
Sep 11 17:09:49 jaffa slapd2.3[16942]: daemon: activity on:
Sep 11 17:09:49 jaffa slapd2.3[16942]: 15r
Sep 11 17:09:49 jaffa slapd2.3[16942]:
Sep 11 17:09:49 jaffa slapd2.3[16942]: daemon: read active on 15
Sep 11 17:09:49 jaffa slapd2.3[16942]: connection_get(15)
Sep 11 17:09:49 jaffa slapd2.3[16942]: connection_get(15): got connid=58
Sep 11 17:09:49 jaffa slapd2.3[16942]: connection_read(15): checking for input on id=58
Sep 11 17:09:49 jaffa slapd2.3[16942]: ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
Sep 11 17:09:49 jaffa slapd2.3[16942]: daemon: select: listen=7 active_threads=0 tvp=zero
Sep 11 17:09:49 jaffa slapd2.3[16942]: daemon: select


-------------------------

Servers slapd.conf file

include /usr/share/openldap2.3/schema/core.schema
include /usr/share/openldap2.3/schema/cosine.schema
include /usr/share/openldap2.3/schema/corba.schema
include /usr/share/openldap2.3/schema/inetorgperson.schema
include /usr/share/openldap2.3/schema/java.schema
include /usr/share/openldap2.3/schema/ppolicy.schema
include /usr/share/openldap2.3/schema/misc.schema
include /usr/share/openldap2.3/schema/nis.schema
include /usr/share/openldap2.3/schema/openldap.schema
include /usr/share/openldap2.3/schema/autofs.schema
include /usr/share/openldap2.3/schema/samba.schema
include /usr/share/openldap2.3/schema/kolab.schema
include /usr/share/openldap2.3/schema/evolutionperson.schema
include /usr/share/openldap2.3/schema/calendar.schema
include /usr/share/openldap2.3/schema/sudo.schema
include /usr/share/openldap2.3/schema/dnszone.schema
include /usr/share/openldap2.3/schema/dhcp.schema
include /etc/openldap2.3/schema/local.schema

include         /etc/openldap2.3/slapd.access.conf

access to dn.subtree="dc=nasaprs,dc=com"
 by self write
 by dn="cn=Manager,dc=nasaprs,dc=com" write
 by * read

access to dn.subtree="dc=nasaprs,dc=com"
 by self write
 by dn="cn=Replicator,dc=nasaprs,dc=com" write
 by * read

pidfile         /var/run/ldap2.3/slapd.pid
argsfile        /var/run/ldap2.3/slapd.args

modulepath      /usr/lib/openldap2.3/

allow bind_v2 bind_anon_dn

TLSRandFile            /dev/random
TLSCipherSuite         HIGH:MEDIUM:+SSLv2
TLSCertificateFile      /etc/openldap2.3/cert/servercrt.pem
TLSCertificateKeyFile   /etc/openldap2.3/cert/serverkey.pem
TLSCACertificateFile    /etc/openldap2.3/cert/cacert.pem

loglevel -1

#######################################################################
# database definitions
#######################################################################

database        bdb
suffix          "dc=nasaprs,dc=com"
rootdn          "cn=Manager,dc=nasaprs,dc=com"

rootpw          {SSHA}encypted secret password

directory       /var/lib/ldap2.3

checkpoint 256 5

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

access to attrs=shadowLastChange
         by dn="cn=Manager,dc=nasaprs,dc=com" write
         by self write
         by * read

replogfile /var/lib/ldap2.3/openldap-master-replog
replica uri=ldap://clango.ourdomain.com:389
      binddn="cn=Manager,dc=nasaprs,dc=com"
      bindmethod=simple credentials=secret password

---------------------------------
client ldap.conf file

Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
tls_cacertdir /etc/openldap/cacerts

-----------------------------------

Any ideas?

Thanks,
-John B

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature