Re: ldap_tls call failed: Can't contact LDAP server

On Jan 16, 2008, at 9:06 AM, Digambar Sawant wrote:

Problem Definition:

I have following sets of files on a linux host where my server is running.
Again, I am trying ldapsearch command on same linux machine.

Certificate files on Server machine:
ls -l /etc/openldap/CERTS/
-rwxrwxrwx    1 root     root          1265 Jan 16 18:04 cacert.pem
-rwxrwxrwx    1 root     root          3604 Jan 16 18:05 servercrt.pem
-rwxrwxrwx    1 root     root          1664 Jan 16 18:05 serverkey.pem
--------------------------------------------------------------

cat ldap.conf: /etc/openldap/ldap.conf
HOST 127.0.0.1
PORT 636
TLS_CACERTDIR /etc/openldap/CERTS/
TLS_CACERT /etc/openldap/CERTS/cacert.pem
TLS_REQCERT demand
BASE dc=example,dc=com
--------------------------------------------------------------

cat slapd.conf : /etc/openldap/slapd.conf
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/redhat/rfc822-MailMember.schema
include         /etc/openldap/schema/redhat/autofs.schema
include         /etc/openldap/schema/redhat/kerberosobject.schema

access to *
by self write
by users read
by anonymous auth

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/CERTS/cacert.pem
TLSCertificateFile /etc/openldap/CERTS/servercrt.pem
TLSCertificateKeyFile /etc/openldap/CERTS/serverkey.pem

database        ldbm
suffix          "dc=my-domain,dc=com"
rootdn          "cn=Manager,dc=my-domain,dc=com"
directory       /var/lib/ldap
index   objectClass,uid,uidNumber,gidNumber,memberUid eq
index   cn,mail,surname,givenname                       eq,subinitial
--------------------------------------------------------------

Started ldap server with:
1. /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h ldaps:/// &

2. netstat shows that server is listening on port 636
netstat -antp | grep slapd
tcp        0      0 0.0.0.0:636              0.0.0.0:*               LISTEN      14512/slapd

When I executed follwing command on same server machine (linux host):
ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b "dc=my-domain,dc=com" -d 127

It gave error logs as below:

#ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b "dc=my-domain,dc=com" -d 127
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: 192.168.6.146
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.6.146:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 3
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31   0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37      .4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31   0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37      .4.1.1466.20037
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: 192.168.6.146 port: 636 (default)
refcnt: 2 status: Connected
last used: Wed Jan 16 22:11:12 2008

** Outstanding Requests:
* msgid 1, origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 1, all 1
ber_get_next
ldap_read: want=1, got=0

ber_get_next failed.
ldap_perror
ldap_start_tls: Can't contact LDAP server

TRIAL 2
Start server with start_ssl
1. /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 start_ssl &

Here netstat shows that server is listening on 389 and not 636

# netstat -antp | grep slapd
tcp        0      0 0.0.0.0:389              0.0.0.0:*               LISTEN      14529/slapd

When executed following command on same linux host (where server is running)

2. #ldapsearch -Z "CERTS/cacert.pem" -h 192.168.6.146 -p 389 -b "dc=my-domain,dc=com" -d 5
It gave

ldap_msgfree
ldap_interactive_sasl_bind_s: server supports: GSSAPI PLAIN LOGIN
ldap_int_sasl_bind: GSSAPI PLAIN LOGIN
ldap_perror
ldap_sasl_interactive_bind_s: Local error
[root@tb01-03-dp02 openldap]# ldaps

Thanks,

Digambar

On Jan 16, 2008 7:09 PM, Chris G. Sellers <chris.sellers@nitle.org> wrote:

Run your openldap server with debugging turned on (-d option) and
check the output. Read the man slapd.conf for the different values of
the -d flag and then see if you see why your connection is failing.
Post those results here if you don't see the obvious root cause.

Sellers

On Jan 16, 2008, at 1:37 AM, Digambar Sawant wrote:

> Hi,
>
> I want to establish secure ldap connection.
> I have tried following:
>
> 1. ldap_init
> 2. ldap_set_option( pLdapObj, LDAP_OPT_X_TLS_CACERTFILE, "/tmp/
> certficate.cert"
> 3. iRetCode = ldap_start_tls_s(pLdapObj, NULL, NULL);
>
> Here 3. ldap_start_tls_s failed with error: "Can't contact LDAP
> server".
>
> What is wrong here? Are there any more steps to make it work?
> Please help me.
>
> Thanks,
> Digambar
>

______________________________________________
Chris G. Sellers | NITLE Technology
734.661.2318 | chris.sellers@nitle.org
AIM: imthewherd | GTalk: cgseller@gmail.com

______________________________________________

Chris G. Sellers | NITLE Technology

734.661.2318 | chris.sellers@nitle.org

AIM: imthewherd | GTalk: cgseller@gmail.com