[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP client and SSL handshaek

To: Jon Dufresne <jon@erezlife.com>
Subject: Re: OpenLDAP client and SSL handshaek
From: Rich Megginson <rich.megginson@gmail.com>
Date: Tue, 20 Mar 2012 18:24:25 -0600
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:reply-to:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=GFySugGwVpVIX0RFgNn7qK3LGNiRQKx6sKctas0PEJ0=; b=WFiPDwVTFBt9HXH97BwDjSYw0FZjpTnOGHrCSw+EQ9v5Mff5HrT7SJZ41PwXFt5zfl 1q3VhLgiKrwrwOObp9Xwo8XymBqoJ5fwb5ADh9njJHYnvGdlYWqIIOQNYz2l3C9skIm9 ngyiCdGCi8wRlkYVbSScg7BcTIWQoYiiTYTSOIwxh5xzP9/4+0lm0CDeHqvLv9LEV7jp 4lB+/PnqK8ng3v073uHncRwbMepbpSSbs27eYXiA6YUN1IIEO4667lr98mocR/9HFIMB V5i78+cCHRyPM+eX4SBwr5DQGlkMbkBENJVG5gx0jwF4AyMwIStei+iyH9PZhFWDTl8L 6JfQ==
In-reply-to: <1332283894.13559.67.camel@jon-workstation.erezlife>
References: <1332283894.13559.67.camel@jon-workstation.erezlife>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.3) Gecko/20120307 Thunderbird/10.0.3

On 03/20/2012 04:51 PM, Jon Dufresne wrote:

Hi,

I am using OpenLDAP as a client to connect to a 3rd party Oracle
Internet Directory 10g.

After recent updates, I have been unable to successfully bind with the
LDAP server. I believe this is an error with the SSL handshake because
the following command will not negotiate an SSL protocol:

$ openssl s_client -connect HOST:636
...
Failure

While adding the -no_tls1 flag will:

$ openssl s_client -connect HOST:636 -no_tls1
...
Success

When I attempt to connect to the server using ldapsearch, I receive the
following:

$ ldapsearch -d7 -x -H ldaps://HOST:636 -D "BIND_DN" -W
ldap_url_parse_ext(ldaps://HOST:636)
ldap_create
ldap_url_parse_ext(ldaps://HOST:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP HOST:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying HOST_IP:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: could not add the certificate (null) - error -8018:Unknown PKCS #11
error..
TLS: /etc/openldap/cacerts/addtrust-ca.crt is not a valid CA certificate
file - error -8018:Unknown PKCS #11 error..
TLS: could perform TLS system initialization.
TLS: error: could not initialize moznss security context - error
-8018:Unknown PKCS #11 error.
TLS: can't create ssl handle.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
TLS: could not shutdown NSS - error -8053:NSS could not shutdown.
Objects are still in use..


Is there a way, either through the ldap.conf, an environment variable,
or through the API, to ignore the TLS portion of the handshake?

That's not your problem, nor is it specific to Oracle:
TLS: could not add the certificate (null) - error -8018:Unknown PKCS #11
error..
TLS: /etc/openldap/cacerts/addtrust-ca.crt is not a valid CA certificate
file - error -8018:Unknown PKCS #11 error..

Can you paste your /etc/openldap/cacerts/addtrust-ca.crt?

Am I
mistaken and something else is wrong here?

Regards,
Jon

Follow-Ups:
- Re: OpenLDAP client and SSL handshaek
  - From: Jon Dufresne <jon@erezlife.com>

References:
- OpenLDAP client and SSL handshaek
  - From: Jon Dufresne <jon@erezlife.com>

Prev by Date: Re: OpenLDAP client and SSL handshaek
Next by Date: Re: OpenLDAP client and SSL handshaek
Index(es):
- Chronological
- Thread