[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fedora and openldap



I changed the ldap.conf file in the client so instead of TLS_CACERTDIR now I'm using TLC_CACERT <file.pem>
and the error now is this one:
# ldapsearch -x -d1 #it's the same error if I set -H server
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP curri0.imppc.local:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.19.5.13:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: error: connect - force handshake failure -1 - error -8054:Unknown code ___f 138
TLS: can't connect: .
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

and the server says:
slap_listener_activate(8):
>>> slap_listener(ldaps://curri0.imppc.local:636)
connection_get(12): got connid=1034
connection_read(12): checking for input on id=1034
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=1034
connection_read(12): checking for input on id=1034
TLS trace: SSL3 alert read:fatal:bad certificate
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate.
connection_read(12): TLS accept failure error=-1 id=1034, closing
connection_close: conn=1034 sd=12

I can't understand why the server complains about a bad certificate, when the client certificate was generated there :O by the openssl libraries.

As said, thanks a lot for your time,
j

On 4/12/11 9:33 PM, Quanah Gibson-Mount wrote:
--On Tuesday, April 12, 2011 9:14 PM +0200 Judith Flo Gaya<jflo@imppc.org>
wrote:

Hello Quanah,
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: could not initialize moznss using security dir /etc/openldap/cacerts
It sounds to me like you linked it against MozNSS instead of OpenSSL.  I
would suggest you rebuild it with --with-tls=openssl

--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration