System in SLES 9.3 running openldap 2.3.39
I tried to create the x509 hash and it still failed the same way.
I still think the TLSCA entries should allow the x509 hash to not have to be there. Tried commenting out both TLSCertificate entries to no avail. Tried commenting out the TLSCACertificate entries, but left TLSCACertificatePath entry uncommented. All changes still failed the ldapsearch the same way.
What else am I missing here? Other ideas will be welcome.
Could you also give me some information as to how to interpret the ldap log or maybe a pointer to where I can learn more about it?
Here is what I did:
# cd /etc/openldap # openssl genrsa 1024 >ldapServer.key # chmod 0440 ldapServer.key # chgrp ldap ldapServer.key # openssl req -new -key ldapServer.key -x509 -days 100 -out ldapServer.crt # chmod 0444 server.crt # cd /etc/ssl/certs # cp /etc/openldap/ldapServer.crt ldapServer.pem # cat /etc/openldap/ldapServer.key >>ldapServer.pem # chmod 0444 ldapServer.pem # ln -f -s ldapServer.pem /etc/ssl/certs/`openssl x509 -hash -noout -in /etc/ssl/certs/ldapServer.pem`.0 # ls -l /etc/ssl/certs | grep ldapServer.pem lrwxrwxrwx 1 root root 14 Nov 19 17:18 1eddbbdf.0 -> ldapServer.pem -rw-r--r-- 1 root root 2526 Nov 19 16:57 ldapServer.pem
Here are the entries in slapd.conf (all in global section):
TLSCertificateFile /etc/ssl/servercerts/servercert.pem TLSCertificateKeyFile /etc/ssl/servercerts/serverkey.pem TLSCACertificatePath /etc/ssl/certs/ TLSCACertificateFile /etc/openldap/ldapServer.crt TLSCACertificateKeyFile /etc/openldap/ldapServer.key
It fails exactly the same way:
# ldapsearch -x -Z -H ldap://testsvr.blv.boeing.com -b "" -s base 'objectclass=*' '+' '*' ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ldap_result: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Here are the ldap log entries when loglevel is set to -1.
Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on 1 descriptor Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on: Nov 19 17:19:43 testsvr slapd[7024]: Nov 19 17:19:43 testsvr slapd[7024]: >>> slap_listener(ldap:///) Nov 19 17:19:43 testsvr slapd[7024]: daemon: listen=8, new connection on 13 Nov 19 17:19:43 testsvr slapd[7024]: daemon: added 13r (active) listener=(nil) Nov 19 17:19:43 testsvr slapd[7024]: conn=2 fd=13 ACCEPT from IP=130.42.48.144:1084 (IP=0.0.0.0:389) Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=8 active_threads=0 tvp=zero Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on 1 descriptor Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on: Nov 19 17:19:43 testsvr slapd[7024]: 13r Nov 19 17:19:43 testsvr slapd[7024]: Nov 19 17:19:43 testsvr slapd[7024]: daemon: read active on 13 Nov 19 17:19:43 testsvr slapd[7024]: connection_get(13) Nov 19 17:19:43 testsvr slapd[7024]: connection_get(13): got connid=2 Nov 19 17:19:43 testsvr slapd[7024]: connection_read(13): checking for input onid=2 Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=8 active_threads=0 tvp=zero Nov 19 17:19:43 testsvr slapd[7024]: do_extended Nov 19 17:19:43 testsvr slapd[7024]: do_extended: oid=1.3.6.1.4.1.1466.20037 Nov 19 17:19:43 testsvr slapd[7024]: conn=2 op=0 STARTTLS Nov 19 17:19:43 testsvr slapd[7024]: send_ldap_extended: err=0 oid= len=0 Nov 19 17:19:43 testsvr slapd[7024]: send_ldap_response: msgid=1 tag=120 err=0 Nov 19 17:19:43 testsvr slapd[7024]: conn=2 op=0 RESULT oid= err=0 text= Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on 1 descriptor Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on: Nov 19 17:19:43 testsvr slapd[7024]: 13r Nov 19 17:19:43 testsvr slapd[7024]: Nov 19 17:19:43 testsvr slapd[7024]: daemon: read active on 13 Nov 19 17:19:43 testsvr slapd[7024]: connection_get(13) Nov 19 17:19:43 testsvr slapd[7024]: connection_get(13): got connid=2 Nov 19 17:19:43 testsvr slapd[7024]: connection_read(13): checking for input onid=2 Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=8 active_threads=0 tvp=zero Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on 1 descriptor Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on: Nov 19 17:19:43 testsvr slapd[7024]: 13r Nov 19 17:19:43 testsvr slapd[7024]: Nov 19 17:19:43 testsvr slapd[7024]: daemon: read active on 13 Nov 19 17:19:43 testsvr slapd[7024]: connection_get(13) Nov 19 17:19:43 testsvr slapd[7024]: connection_get(13): got connid=2 Nov 19 17:19:43 testsvr slapd[7024]: connection_read(13): checking for input onid=2 Nov 19 17:19:43 testsvr slapd[7024]: connection_read(13): TLS accept failure error=-1 id=2, closing Nov 19 17:19:43 testsvr slapd[7024]: connection_closing: readying conn=2 sd=13 for close Nov 19 17:19:43 testsvr slapd[7024]: connection_close: conn=2 sd=-1 Nov 19 17:19:43 testsvr slapd[7024]: daemon: removing 13 Nov 19 17:19:43 testsvr slapd[7024]: conn=2 fd=13 closed (TLS negotiation failure) Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=8 active_threads=0 tvp=zero Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on 1 descriptor Nov 19 17:19:43 testsvr slapd[7024]: daemon: activity on: Nov 19 17:19:43 testsvr slapd[7024]: Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 19 17:19:43 testsvr slapd[7024]: daemon: epoll: listen=8 active_threads=0 tvp=zero
---- Not all who wander are lost.
| ---- ___o | chuck.keagle@boeing.com Chuck Keagle | ------- \ <, | Work: (425) 865-1488 Enterprise Servers: HPC | ----- ( )/ ( ) | Cell: (425) 417-3434