[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Using NSS
- To: openldap-technical@openldap.org
- Subject: Re: Using NSS
- From: Braden McDaniel <braden@endoframe.com>
- Date: Thu, 27 Oct 2011 14:05:58 -0400
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=endoframe.com; h=subject :from:to:date:in-reply-to:references:content-type :content-transfer-encoding:message-id:mime-version; s= endoframe.com; bh=BLWh+z2d+C2puZrE2lc3+FrRMtk=; b=d1fV3EFa4adAD6 hGAxlQdqSZbd9pXHHzLvJUcLll7aGDwi9pmurY3I5umiCtXNqZhaBI+OURAM6FHM 8OVwGqedDJDaqsC9Qdxmk/LuJ5efW5JVOSkG00VR5u4COLLFNcEVyXLS3bFrsGXw t8NqwTSNvFvDsX93u8g4ihx/t6mIg=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=endoframe.com; h=subject:from:to :date:in-reply-to:references:content-type :content-transfer-encoding:message-id:mime-version; q=dns; s= endoframe.com; b=Ysl6cP0FDTwUHviyJK6oRHl1WGE3mfS+bOy6ELyhXWiUE4L fzoX5DmZM6F822OQoeBIw8mez73UttekOAcWh8krjFJF6sKw9winyzhZTU9fBerl U2PRMklDQ7Fsl8QQtXAAz+thlC1sUPecwEnu2O2fV+GWsw+IRq2JZaFl4UHk=
- In-reply-to: <4EA96E4E.9050107@gmail.com>
- References: <1319684004.6318.462.camel@rail.endoframe.net> <20111027032848.GA4396@dan.olp.net> <1319726271.6318.474.camel@rail.endoframe.net> <4EA96E4E.9050107@gmail.com>
On Thu, 2011-10-27 at 08:44 -0600, Rich Megginson wrote:
[snip]
> What is your /etc/openldap/ldap.conf?
That question led me to a bogus setting for TLS_CACERTDIR. First, I
tried simply commenting the line out, figuring the value of
olcTLSCACertificatePath in cn=config.ldif would be used. That produced
this:
# ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1
ldap_url_parse_ext(ldaps://rail)
ldap_create
ldap_url_parse_ext(ldaps://rail:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP rail:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: error: tlsm_PR_Recv returned 0 - error 21:Is a directory
TLS: error: connect - force handshake failure: errno 21 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
So, instead, I set the value of TLS_CACERTDIR to match that of
olcTLSCACertificatePath. ldap.conf now looks like this:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldap://rail.endoframe.net/
BASE dc=endoframe,dc=net
TLS_CACERTDIR /etc/pki/nssdb
That still doesn't do the trick; but it did change the error message:
# ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1
ldap_url_parse_ext(ldaps://rail)
ldap_create
ldap_url_parse_ext(ldaps://rail:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP rail:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: using moznss security dir /etc/pki/nssdb prefix .
TLS: error: tlsm_PR_Recv returned 0 - error 17:File exists
TLS: error: connect - force handshake failure: errno 17 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
--
Braden McDaniel <braden@endoframe.com>