[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldap_tls call failed: Can't contact LDAP server
On Wednesday 16 January 2008 16:06:38 Digambar Sawant wrote:
> Problem Definition:
>
> I have following sets of files on a linux host where my server is running.
> Again, I am trying ldapsearch command on same linux machine.
>
> *Certificate files on Server machine:*
> ls -l /etc/openldap/CERTS/
> -rwxrwxrwx 1 root root 1265 Jan 16 18:04 cacert.pem
> -rwxrwxrwx 1 root root 3604 Jan 16 18:05 servercrt.pem
> -rwxrwxrwx 1 root root 1664 Jan 16 18:05 serverkey.pem
>
> --------------------------------------------------------------
> *cat ldap.conf: */etc/openldap/ldap.conf**
> HOST 127.0.0.1
You can save typing by setting this, or URI, correctly.
> PORT 636
This isn't going to do much for you ^^^. You may rather want to set URI.
Please see the man page ('man ldap.conf').
> TLS_CACERTDIR /etc/openldap/CERTS/
> TLS_CACERT /etc/openldap/CERTS/cacert.pem
I would recommend you use only one of the above two options, to reduce
confusion.
> TLS_REQCERT demand
> BASE dc=example,dc=com
[...]
> TLSCACertificateFile /etc/openldap/CERTS/cacert.pem
> TLSCertificateFile /etc/openldap/CERTS/servercrt.pem
> TLSCertificateKeyFile /etc/openldap/CERTS/serverkey.pem
[...]
> database ldbm
Bad idea ^^^.
> suffix "dc=my-domain,dc=com"
> rootdn "cn=Manager,dc=my-domain,dc=com"
> directory /var/lib/ldap
> index objectClass,uid,uidNumber,gidNumber,memberUid eq
> index cn,mail,surname,givenname eq,subinitial
[...]
> *Started ldap server with:*
> 1. /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h ldaps:/// &
> 2. netstat shows that server is listening on port 636
> netstat -antp | grep slapd
> tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
> 14512/slapd
>
> When I executed follwing command on same server machine (linux host):
>
> ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b
> "dc=my-domain,dc=com" -d 127
1)Under your current configuration, this requires that the server has a
certificate with the subject's CN=192.168.6.146, or that this IP is in the
subjAltName extension on the certificate. If, instead, there is a hostname as
the CN, then you should use the hostname wherever you want to specify a
connection, and ensure your name resolution takes care of connecting to the
correct IP address.
Please show the output from:
$ openssl x509 -noout -subject -in /etc/openldap/CERTS/servercrt.pem
It should match whatever you use after -h or -H ldaps://
2)You shouldn't use -Z (or -ZZ) on a port already running SSL/TLS. Instead use
an ldaps URI (-H ldaps://name.on.cert).
3)"CERTS/cacert.pem" must be removed, you can't specify and certificate
filenames via commandline options.
> It gave error logs as below:
>
> #ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b
> "dc=my-domain,dc=com" -d 127*
> *ldap_start_tls: Can't contact LDAP server*
This is the correct behaviour ...
> *TRIAL 2*
>
> *Start server with start_ssl*
>
> 1. /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 *start_ssl* &
?????
There should be no *start_ssl* in your commandline. If slapd has been
configured with SSL certificates correctly, starting it up without any
specific options will enable START_TLS.
> Here netstat shows that server is listening on 389 and not 636
> # netstat -antp | grep slapd
>
> tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
> 14529/slapd
You can have both in fact ... but listening on 389 does not confirm the
START_TLS is configured correctly.
> When executed following command on same linux host (where server is
> running)
>
> 2. #ldapsearch -Z "CERTS/cacert.pem" -h 192.168.6.146 -p 389 -b
> "dc=my-domain,dc=com" -d 5
1)Same issue as above with certificate's subjectDN and hostname etc.
2)Same issue regarding "CERTS/cacert.pem".
> *ldap_interactive_sasl_bind_s: server supports: GSSAPI PLAIN LOGIN*
> *ldap_int_sasl_bind: GSSAPI PLAIN LOGIN*
> *ldap_perror*
> *ldap_sasl_interactive_bind_s: Local error*
> *[root@tb01-03-dp02 openldap]# ldaps*
You forgot -x.
Regards,
Buchan