[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP self-signed certificates issue

To: Vijay Ganesan <vijay@thoughtspot.com>, openldap-technical@openldap.org
Subject: Re: OpenLDAP self-signed certificates issue
From: Ryan Tandy <ryan@nardis.ca>
Date: Mon, 08 Sep 2014 08:35:28 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nardis.ca; s=google; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=qVwgJnTeU4wQ1Fcas3BgH7n6WVTGjCfSAra0qGELnqc=; b=Wf1rjzd87+yweaiYLwhdXGyXXu6WUInHv3Ei78vNa6aC9SFCM/iMEIADIrHPjUOwWH 6KnRAa2mevBMT7FINcPv8DVASKqJkyI1YGuf0qz3mMLa+KibHVPVaJYogekLDzjP1Uij bduDvcPz9bBMBLPU8R4QupRgJvd+ASjzgAcAo=
In-reply-to: <CAB+CZKDr2YFS8AeV8AoJJV7B_2TQZk-w89Y56rEeWD5RLoBFwg@mail.gmail.com>
References: <CAB+CZKBTFvhZgs+qwgaNOq6OHecT1R8bHj5JGFkX62xr5zXy9A@mail.gmail.com> <540CD59A.7050508@nardis.ca> <CAB+CZKBEsGUi2Gxw0OV2He-RCUgtadC=KDU+2Ub1gyEsfuzk3w@mail.gmail.com> <540DB975.2090902@nardis.ca> <CAB+CZKDr2YFS8AeV8AoJJV7B_2TQZk-w89Y56rEeWD5RLoBFwg@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.7.0

On 08/09/14 08:02 AM, Vijay Ganesan wrote:

ldap_start_tls: Connect error (-11)
additional info: A TLS packet with unexpected length was received.

Unfortunately GnuTLS does not make it easy to diagnose this kind oferror. There might still be a misconfiguration somewhere, or there mightbe a problem with the certificate itself. If you search Google for thatmessage you will find many results with different causes.


Some thoughts:

* Check /var/log/syslog for any info printed by slapd

* Check that GnuTLS is able to understand your certificate: installgnutls-bin and try

gnutls-serv --x509certfile /path/to/server.pem --x509keyfile/path/to/server.key


which will start a basic TLS server on port 5556, then

  gnutls-cli --x509cafile /path/to/ca.pem --port 5556 localhost

If GnuTLS doesn't like your certificate for some reason, one of thosecommands will fail and hopefully provide more information.


* Similarly, enable ldaps:/// in /etc/default/slapd and then try

  gnutls-cli --x509cafile /path/to/ca.pem --port 636 localhost

to investigate the certificate actually sent by slapd.

I would really recommend upgrading to Ubuntu 14.04. It has asignificantly updated version of GnuTLS that fixes a lot of bugs andlimitations compared to Ubuntu 12.04. Others on this list will recommendto ditch GnuTLS altogether and build your own OpenLDAP from source usingOpenSSL instead of GnuTLS.


Good luck...

References:
- OpenLDAP self-signed certificates issue
  - From: Vijay Ganesan <vijay@thoughtspot.com>
- Re: OpenLDAP self-signed certificates issue
  - From: Ryan Tandy <ryan@nardis.ca>
- Re: OpenLDAP self-signed certificates issue
  - From: Vijay Ganesan <vijay@thoughtspot.com>
- Re: OpenLDAP self-signed certificates issue
  - From: Ryan Tandy <ryan@nardis.ca>
- Re: OpenLDAP self-signed certificates issue
  - From: Vijay Ganesan <vijay@thoughtspot.com>

Prev by Date: Re: OpenLDAP self-signed certificates issue
Next by Date: Re: LDAP gateway to RADIUS serverf
Index(es):
- Chronological
- Thread