[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antw: problem with accessing secure ldap --- Low Sensitivity/Aerospace Internal Use Only

To: c chupela <cnctema68@yahoo.com>
Subject: Re: Antw: problem with accessing secure ldap --- Low Sensitivity/Aerospace Internal Use Only
From: Warron S French <Warron.S.French@aero.org>
Date: Thu, 30 Jan 2014 11:42:40 -0500
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=aero.org; i=@aero.org; q=dns/txt; s=mailhub; t=1391100185; x=1422636185; h=in-reply-to:references:to:cc:mime-version:subject: message-id:date:from; bh=Wc6ZRlikFi9Sd0oUxrbt+1kumxsJwQekX2S+U8l5H+Y=; b=BBe/2V1LRZhWpOZOw5db6jVg9Xqly8di8SvRkA1kLCV+byoqQyJnxFl5 +Whv7LKa1c/rGgdFEsr5m91WzwQXQ9an1Oc6TvDyMcQl3Ky4K5oAlJ9u/ tCjHPL3ADqXuewqYlX8NdgXfLRbMMrVk8i/4z6vHibhIMZlnR7J/J9g0m s=;
In-reply-to: <1391098183.47615.YahooMailNeo@web140106.mail.bf1.yahoo.com>
References: <1390412584.5499.YahooMailNeo@web140101.mail.bf1.yahoo.com> <52E0D8B3020000A100013F4E@gwsmtp1.uni-regensburg.de> <1390602054.60807.YahooMailNeo@web140102.mail.bf1.yahoo.com> <1391098183.47615.YahooMailNeo@web140106.mail.bf1.yahoo.com>

Low Sensitivity/Aerospace Internal Use Only

Low Sensitivity/Aerospace Internal Use Only

Hi C Chupela, I have and I was advised that it was code running up against and Assertion. I was suggested by Quanah to report it in an ITS to OpenLDAP,org.

I did that and according to the latest feedback, from what Quanah can tell, the patch exist, now its a matter of getting to code turned into RPMs and DEBs or whatever else is affected.

So, I guess that means the code has a patch, but I don't have the latest code because I haven't seen it released. Be aware of the fact that I was working on OpenLDAP-2.4.38 and they released OpenLDAP-2.4.39 before this patch was in created.

I hope that helps you too!

Warron French, MBA, SCSA

From: c chupela <cnctema68@yahoo.com>
To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>,
Date: 01/30/2014 11:25 AM
Subject: Re: Antw: problem with accessing secure ldap
Sent by: openldap-technical-bounces@OpenLDAP.org

further troubleshooting on my part with ldapsearch/debugging turned up, gave me the following:

TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix=" keyPrefix=" flags=readOnly
TLS: using moznss security dire /etc/openldap/certs prefix
TLS: error: tlsm_PR_Recv returned 0 - error 21:Is a directory
TLS: error: connect - force handshake failure: errono 21 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file
ldap_err2string
ldap_sasl_bin(SIMPLE): Can't contact LDAP server (-1)

searches I;ve done on this error seem to point to certificate/openSSL problems.

Anyone run into this before?

On Friday, January 24, 2014 5:39 PM, c chupela <cnctema68@yahoo.com> wrote:
After having some packet traces done, what was revealed is that from a windows client running the softerra ldap browser, we could see the connection be established between client and server (syn, ack synack) client requests sending of data, and server resets/closes the connection, never sending any data, as I also saw with attempting to telnet to port 636 - connection is closed by remote host.

Regarding the question of is TLS enabled, if I understand the doc correctly, the answer is yes. With respect to the TLS_REQCERT never statement, I believe it was set this way because this was only intended to be a testing server.

contents of ldap.conf:

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=plandb,dc=stuff,dc=acme,dc=com
URI ldap://plandb-qa.stuff.acme.com ldaps://plandb-qa.stuff.acme.com:636

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT never

currently running slapd process:

1 S ldap 5603 1 0 80 0 - 111440 futex_ Jan21 ? 00:00:02 /usr/sbin/slapd -h ldap:/// ldaps:/// ldapi:/// -u ldap

On Thursday, January 23, 2014 3:25 AM, Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> wrote:
>>> c chupela <cnctema68@yahoo.com> schrieb am 22.01.2014 um 18:43 in Nachricht
<1390412584.5499.YahooMailNeo@web140101.mail.bf1.yahoo.com target=_blank>1390412584.5499.YahooMailNeo@web140101.mail.bf1.yahoo.com>:
> I've been tasked with figuring out why a redhat 6.4 server w/openldap v2.4.23
> is not accessible.
> This server is a test server. I have a production server that is working
> properly, and I've gone thru and compared config files, etc, but haven't
> found any differences.
>
> I'm a newbie with this, so my understanding is still somewhat limited.
> Here's what I've done or checked so far:
>
> - iptables is not running
> - if I run netstat, I can see port 389/port 636 in listening state:
>
> tcp 0 0 0.0.0.0:636 0.0.0.0:*
> LISTEN 5603/slapd
> tcp 0 0 0.0.0.0:389 0.0.0.0:*
> LISTEN 5603/slapd
> tcp 0 0 :::636 :::*
> LISTEN 5603/slapd
> tcp 0 0 :::389 :::*
> LISTEN 5603/slapd
>
> I can telnet to port 389 on this server from another server, but not to port
> 636 - putty will throw back an immediate 'connection closed by remote host'
> message.
>
> I'm not seeing any slapd related messages in /var/log/messages.
>
> What else can I check on here?

Syslog

>
> Thanks
> Chris

Low Sensitivity/Aerospace Internal Use Only

Low Sensitivity/Aerospace Internal Use Only

References:
- problem with accessing secure ldap
  - From: c chupela <cnctema68@yahoo.com>
- Antw: problem with accessing secure ldap
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
- Re: Antw: problem with accessing secure ldap
  - From: c chupela <cnctema68@yahoo.com>
- Re: Antw: problem with accessing secure ldap
  - From: c chupela <cnctema68@yahoo.com>

Prev by Date: Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
Next by Date: Re: Antw: problem with accessing secure ldap
Index(es):
- Chronological
- Thread