[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap server with TLS not working

To: openldap-technical@openldap.org
Subject: Re: Openldap server with TLS not working
From: btb <btb@bitrate.net>
Date: Thu, 03 Oct 2013 16:19:58 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=bitrate.net; s=default; t=1380830383; bh=hp5NunaIOnTmFv5yCkAwZGD3CcDOPD2IVoL4O2MXz/0=; h=Date:From:To:Subject:References:In-Reply-To; b=hgG2k+kdmut6DzXwJ/mgWK+Rc7OuuSIyMqboa5D9VCNIy1YCqILMEuZS6LGH0DX4Y TQMh4vYQTniujgV/ecItbVdtqYekTQrISloe4av5hcUYh37KyLJJmYX6Zws5cGrXif Ag0+xvnQG2UKz/UJou4e0CYuRdq4wKrTDTxrxQuY=
In-reply-to: <E8C66D7B548D594AA2D874080BF5BB222D70F60C@WPTXMAIL1.ptx.axway.int>
References: <E8C66D7B548D594AA2D874080BF5BB222D70F0F5@WPTXMAIL1.ptx.axway.int> <524C1827.7040101@bitrate.net> <E8C66D7B548D594AA2D874080BF5BB222D70F36D@WPTXMAIL1.ptx.axway.int> <20131003104600.68002db1@pink.avci.de> <E8C66D7B548D594AA2D874080BF5BB222D70F60C@WPTXMAIL1.ptx.axway.int>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130801 Thunderbird/17.0.8

On 2013.10.03 08.22, Axel Grosse wrote:

-----Original Message-----

From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Dieter KlÃnter
Sent: Thursday, 3 October 2013 6:46 PM
To: openldap-technical@openldap.org
Subject: Re: Openldap server with TLS not working

Am Thu, 3 Oct 2013 00:16:28 +0000
schrieb Axel Grosse <agrosse@axway.com>:

Hi ben,
thanks for the comment.
agree with you on TLS usage should be perferred
but the client that is connecting is only capable of LDAPS ... he has
not implemented TLS Client jet .

But can you please take a look to the error I am facing

openssl s_client -connect 192.168.30.169:389 -showcerts
-CAfile ./ssl/VordelCA.crt CONNECTED(00000003)
710:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:

any idea what can cause this ?

-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org
[mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of btb
Sent: Wednesday, 2 October 2013 10:57 PM To:
openldap-technical@openldap.org Subject: Re: Openldap server with TLS
not working

On 2013.10.02 07.29, Axel Grosse wrote:

when I test on the server itself ..
openssl s_client -connect 192.168.30.169:389 -showcerts -CAfile
./ssl/VordelCA.crt
CONNECTED(00000003)
710:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:


ldaps [port 636] is deprecated.  use starttls with the standard port
[389].  to test, just use ldapsearch [see the reference to -Z in the
man page]


You are connnecting to port 389, but s_client is not able to initiate a
LDAP startTLS  session (only SMTP and IMAP), so you have to connect
ldaps and port 636.

-Dieter

> Hi Ben, Dieter

> can we focus on LDAPS because TLS1 is not an option and even if LDAPS> is deprecated I should be able to configure it ..

>
> TLSCACertificateFile /etc/openldap/ssl/VordelCA.crt
> TLSCertificateFile /etc/openldap/ssl/VordelDev.crt
> TLSCertificateKeyFile /etc/openldap/ssl/VordelDev.key
> TLSVerifyClient never
>
>
> are this entries in the slapd.conf sutable for LDAPS ?
> if not whats missing ?

nothing more is required

> start the server with
> /usr/sbin/slapd -h ldap://192.168.30.169:636 -u ldap

/usr/sbin/slapd -h 'ldaps:///' [...]

you must specify ldaps, and you do not need to explicitly specify theport. 636 is the default. see man 8 slapd for details.

Follow-Ups:
- RE: Openldap server with TLS not working
  - From: Axel Grosse <agrosse@axway.com>

References:
- Openldap server with TLS not working
  - From: Axel Grosse <agrosse@axway.com>
- Re: Openldap server with TLS not working
  - From: btb <btb@bitrate.net>
- RE: Openldap server with TLS not working
  - From: Axel Grosse <agrosse@axway.com>
- Re: Openldap server with TLS not working
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- RE: Openldap server with TLS not working
  - From: Axel Grosse <agrosse@axway.com>

Prev by Date: Re: Log level will not change.
Next by Date: Re: Log level will not change.
Index(es):
- Chronological
- Thread