Hello, I'm trying to configure an openldap with TLS so that all connections are encrypted. Here's the revelent part of my slapd.conf: TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSVerifyClient never TLSCertificateFile /etc/ldap/ssl/server.crt TLSCertificateKeyFile /etc/ldap/ssl/server.key Here's my ldap.conf: URI ldaps://my.server.ltd BASE dc=my,dc=server,dc=ltd LDAP_VERSION 3 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never ssl start_tls ssl on TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3 While starting slapd with: slapd -h 'ldaps:///' -g openldap -u openldap -d 16383 and trying to connect to it with: ldapsearch -Z -d 16383 -LLL -b cn=admin,dc=my,dc=server,dc=ltd -w "foo.bar" -S cn -h my.server.ltd -p 636 cn I have these logs : [slapd] daemon: activity on 1 descriptor >>> slap_listener(ldaps:///)daemon: listen=7, new connection on 11 ldap_pvt_gethostbyname_a: host=my, r=0 daemon: added 11r (active) listener=(nil) conn=0 fd=11 ACCEPT from IP=xx.yy.zz.aa:38806 (IP=0.0.0.0:636) daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 11r daemon: read activity on 11 connection_get(11) connection_get(11): got connid=0 connection_read(11): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 30 3e 02 01 01 63 39 04 00 0a 01 0>...c9.... TLS trace: SSL_accept:error in SSLv2/v3 read client hello A TLS: can't accept. TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:562 connection_read(11): TLS accept failure error=-1 id=0, closing connection_closing: readying conn=0 sd=11 for close connection_close: conn=0 sd=11 daemon: removing 11 conn=0 fd=11 closed (TLS negotiation failure) daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: waked daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL [ldapsearch] ldap_create ldap_url_parse_ext(ldap://my.server.ltd:636) ldap_pvt_sasl_getmech ldap_search put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ldap_build_search_req ATTRS: supportedSASLMechanisms ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP my.server.ltd:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying xx.yy.zz.aa:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0xb92b6d68 ptr=0xb92b6d68 end=0xb92b6da8 len=64 0000: 30 3e 02 01 01 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9......... 0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object 0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support 0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms ber_scanf fmt ({) ber: ber_dump: buf=0xb92b6d68 ptr=0xb92b6d6d end=0xb92b6da8 len=59 0000: 63 39 04 00 0a 01 00 0a 01 00 02 01 00 02 01 00 c9.............. 0010: 01 01 00 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 .....objectclass 0020: 30 19 04 17 73 75 70 70 6f 72 74 65 64 53 41 53 0...supportedSAS 0030: 4c 4d 65 63 68 61 6e 69 73 6d 73 LMechanisms ber_flush2: 64 bytes to sd 3 0000: 30 3e 02 01 01 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9......... 0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object 0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support 0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms ldap_write: want=64, written=64 0000: 30 3e 02 01 01 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9......... 0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object 0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support 0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms ldap_result ld 0xb92ae158 msgid 1 wait4msg ld 0xb92ae158 msgid 1 (infinite timeout) wait4msg continue ld 0xb92ae158 msgid 1 all 1 ** ld 0xb92ae158 Connections: * host: my.server.ltd port: 636 (default) refcnt: 2 status: Connected last used: Wed Jul 7 12:11:03 2010 ** ld 0xb92ae158 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0xb92ae158 request count 1 (abandoned 0) ** ld 0xb92ae158 Response Queue: Empty ld 0xb92ae158 response count 0 ldap_chkResponseList ld 0xb92ae158 msgid 1 all 1 ldap_chkResponseList returns ld 0xb92ae158 NULL ldap_int_select read1msg: ld 0xb92ae158 msgid 1 all 1 ber_get_next ldap_read: want=8, got=0 ber_get_next failed. ldap_err2string ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) I really don't know what to do. My certificates are correct I guess, as we're using them in apache for https... For information, they are self-signed. Any help would be great. Thank you! Best regards, C. -- Cédric Jeanneret | System Administrator 021 619 10 32 | Camptocamp SA cedric.jeanneret@camptocamp.com | PSE-A / EPFL
Attachment:
signature.asc
Description: PGP signature