[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Can't use SSL session
Using ldapsearch on a VMS system to attempt to do a directory lookup using
SSL to a non-OpenLDAP directory on another system. I verified the root CA
certificate is correct using:
$ openssl s_client -connect adtest:636 "-CAfile" test_root_ca.pem
My LDAP.CONF file contains:
TLS_CHECKPEER no
BIND_POLICY soft
TLS_REQCERT never
TLS_CACERT RAPTOR$DKA0:[OREILLY.KEYS]TEST_ROOT_CA.PEM
What happens is below:
$ ldapsearch "-ZZ" -p 636 -d 255 -s base -x -w xxxxxxxxx -v "-D"
"cn=Administrator,CN=Users,dc=altdomain2000,dc=psccos,dc=com"
-b"cn=Users,dc=altdomain2000,dc
=psccos,dc=com" -h adtest.altdomain2000.psccos.com
"(&(objectclass=user)(sAMAccountName=oreilly))"
ldap_initialize( ldap://adtest.altdomain2000.psccos.com:636 )
ldap_create
ldap_url_parse_ext(ldap://adtest.altdomain2000.psccos.com:636)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP adtest.altdomain2000.psccos.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.0.27:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x0043ba98 ptr=0x0043ba98 end=0x0043bab7 len=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ber_scanf fmt ({) ber:
ber_dump: buf=0x0043ba98 ptr=0x0043ba9d end=0x0043bab7 len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
ber_flush: 31 bytes to sd 3
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_result ld 43B028 msgid 1
ldap_chkResponseList ld 43B028 msgid 1 all 1
ldap_chkResponseList returns ld 43B028 NULL
wait4msg ld 43B028 msgid 1 (infinite timeout)
wait4msg continue ld 43B028 msgid 1 all 1
** ld 43B028 Connections:
* host: adtest.altdomain2000.psccos.com port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Oct 5 16:32:20 2006
** ld 43B028 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 43B028 Response Queue:
Empty
ldap_chkResponseList ld 43B028 msgid 1 all 1
ldap_chkResponseList returns ld 43B028 NULL
ldap_int_select
read1msg: ld 43B028 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=0
ber_get_next failed.
ldap_perror
ldap_start_tls: Can't contact LDAP server (-1)
Any ideas? I've been pulling my hair out over this for a couple weeks
now. If I do this same search using port 389 and no SSL it works correctly.
------
+-------------------------------+----------------------------------------+
| Dan O'Reilly | "There are 10 types of people in this |
| Principal Engineer | world: those who understand binary |
| Process Software | and those who don't." |
| http://www.process.com | |
+-------------------------------+----------------------------------------+