[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS problem

To: Chris <chris@flamengro.co.za>
Subject: Re: TLS problem
From: Dan White <dwhite@olp.net>
Date: Tue, 29 Jan 2013 09:04:24 -0600
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <510786AC.4070502@flamengro.co.za>
References: <510786AC.4070502@flamengro.co.za>
User-agent: Mutt/1.5.21 (2010-09-15)

On 01/29/13 10:22 +0200, Chris wrote:

I am running Openldap 2.4.23 on RHEL6. I can telnet to the server on both
389 636 ports.  I can do a ldapsearch and ldapadd without any errors. I
get this error when I start the slapd daemon.

/ldap_start_tls_s() failed: Can't contact LDAP server: Transport
endpoint is not connected (uri="ldap://ldapserver";)//
//failed to bind to LDAP server ldap://ldapserver: Can't contact LDAP
server: Transport endpoint is not connected/


I don't understand why you are receiving this error while starting slapd.
Where are you seeing this error?

What command line options are you starting slapd with?

When I do a ldapsearch -x -d1 -Z -b 'dc=flamengro,dc=co,dc=za'

I get the following error

/TLS: certificate [//CA certificate details omitted here...] is not
valid - error -8172:Peer's certificate issuer has been marked as not
trusted by the user..//
//TLS: error: connect - force handshake failure: errno 0 - moznss error
-8172//
//TLS: can't connect: TLS error -8172:Peer's certificate issuer has been
marked as not trusted by the user..//
//ldap_err2string//
//ldap_start_tls: Connect error (-11)//
//    additional info: TLS error -8172:Peer's certificate issuer has
been marked as not trusted by the user/


You have a certificate trust issue. In your above command, you are not
specifying a hostname, which means that you're apparently using the hostname
specified in your ldap.conf. Verify that's actually a hostname, and not an
IP address. Check that the hostname matches the contents of your
certificate, and that the certificate's signer is trusted by your moznss
library (on your client).

Any help will be appreciated.

This is my slapd.conf file

include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
TLSCipherSuite          HIGH
TLSCertificateFile      /etc/pki/tls/certs/slapdcert.pem
TLSCertificateKeyFile   /etc/pki/tls/certs/slapdkey.pem
TLSVerifyClient         never
database        bdb
suffix          "dc=flamengro,dc=co,dc=za"
checkpoint      1024 15
rootdn          "cn=Manager,dc=flamengro,dc=co,dc=za"
rootpw                secret
directory       /var/lib/ldap/flamengro
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
database monitor
# allow only rootdn to read the monitor
access to *
       by dn.exact="cn=Manager,dc=flamengro,dc=co,dc=za" read
       by * none
access to attrs=userPassword,shadowLastChange
       by anonymous auth
       by self write
       by * none


--
Dan White

References:
- TLS problem
  - From: Chris <chris@flamengro.co.za>

Prev by Date: RE: 389 port is closed from the client point of view
Next by Date: Re: TLS problem
Index(es):
- Chronological
- Thread