[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using NSS

To: richm@stanfordalumni.org
Subject: Re: Using NSS
From: Braden McDaniel <braden@endoframe.com>
Date: Sat, 12 Nov 2011 23:25:56 -0500
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=endoframe.com; h=subject :from:to:cc:date:in-reply-to:references:content-type :content-transfer-encoding:message-id:mime-version; s= endoframe.com; bh=Kc0YAIwZ6j+JrVVjpBc2DsMFEPI=; b=aI3eEvWUQZldQj c4rg0TxwqzifQ03bniKd2765pzZzbbDYxSU9z4NVhr/kAfmw6vbdALIl8FyyW+cj /N6QYg20gYkoKnGScsK7C37eCijWRIKXCOIT604UisZwi/9++AT63NtinI8aOCFf tpn1jo4lZUchM4ZV6CuIVUJZVnFY0=
Domainkey-signature: a=rsa-sha1; c=nofws; d=endoframe.com; h=subject:from:to :cc:date:in-reply-to:references:content-type :content-transfer-encoding:message-id:mime-version; q=dns; s= endoframe.com; b=jqeBytvHZjeLxzZwkZpmOvGRWwRTqLVgQEO4Qn1UMWwLmMW aWfXbGNYHyO2BVsDAz5eJVFuwkbTXUWcCrClRxe22j/y+5mi1W36EKzQ2dpTHptD 8kmVLg36XOHg+PswbHzMmegZd5uyJKttBe9goiOpeDzpncbYhIpXWMw/SDM8=
In-reply-to: <4EA9B737.2070201@gmail.com>
References: <1319684004.6318.462.camel@rail.endoframe.net> <20111027032848.GA4396@dan.olp.net> <1319726271.6318.474.camel@rail.endoframe.net> <4EA96E4E.9050107@gmail.com> <1319738759.6318.495.camel@rail.endoframe.net> <4EA9B737.2070201@gmail.com>

On Thu, 2011-10-27 at 13:55 -0600, Rich Megginson wrote:
> On 10/27/2011 12:05 PM, Braden McDaniel wrote:
> > On Thu, 2011-10-27 at 08:44 -0600, Rich Megginson wrote:
> >
> > [snip]
> >
> >> What is your /etc/openldap/ldap.conf?
> > That question led me to a bogus setting for TLS_CACERTDIR.  First, I
> > tried simply commenting the line out, figuring the value of
> > olcTLSCACertificatePath in cn=config.ldif would be used.
> 
> No, the client cannot use cn=config.ldif - that is for the server only.
> The server cannot use ldap.conf - that is for the client only.

Okay... With this in mind, I changed ldap.conf to use TLS_CACERT to
point to a .pem file as generated by:

        # certutil -d /etc/pki/nssdb -L -n "endoframe" -a >
        endoframe.pem

That gets me here:

        # ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1
        ldap_url_parse_ext(ldaps://rail)
        ldap_create
        ldap_url_parse_ext(ldaps://rail:636/??base)
        ldap_sasl_bind
        ldap_send_initial_request
        ldap_new_connection 1 1 0
        ldap_int_open_connection
        ldap_connect_to_host: TCP rail:636
        ldap_new_socket: 3
        ldap_prepare_socket: 3
        ldap_connect_to_host: Trying ::1 636
        ldap_pvt_connect: fd: 3 tm: -1 async: 0
        TLS: loaded CA certificate
        file /etc/openldap/cacerts/endoframe.pem.
        TLS: error: tlsm_PR_Recv returned 0 - error 21:Is a directory
        TLS: error: connect - force handshake failure: errno 21 - moznss
        error -5938
        TLS: can't connect: TLS error -5938:Encountered end of file.
        ldap_err2string
        ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

> Never seen that - I have no idea why you would get an EEXIST at this 
> point in the code.  I suggest turn on debugging on the server and see 
> what it thinks is happening.

There were apparently some selinux issues that accounted for the
previous errors.  Once those were resolved, the above search yields this
from the server (run with -d1):

        slap_listener_activate(10): 
        >>> slap_listener(ldaps:///)
        connection_get(14): got connid=1000
        connection_read(14): checking for input on id=1000
        TLS: using moznss security dir /etc/pki/nssdb prefix .
        TLS: certificate [CN=Endoframe] is not valid - error -8102:Unknown code ___f 90.
        TLS: error: unable to find and verify server's cert and key for certificate endoframe
        TLS: error: could not initialize moznss security context - error -8102:Unknown code ___f 90
        TLS: can't create ssl handle.
        connection_read(14): TLS accept failure error=-1 id=1000, closing
        connection_close: conn=1000 sd=14

So I screwed up the certificate.  I'm just not sure how.

-- 
Braden McDaniel <braden@endoframe.com>

Follow-Ups:
- Re: Using NSS
  - From: Rich Megginson <rich.megginson@gmail.com>

Prev by Date: Re: ACL using Group
Next by Date: Re: MDB name
Index(es):
- Chronological
- Thread