I have yet to even change the error messages when trying:
# ldapsearch -x -Z -H ldap://testsvr.blv.boeing.com -b "" -s base 'objectclass=*' '+' '*' ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ldap_result: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Can anyone point out what I have missed here?
*********************************** Here is /etc/openldap/slapd.conf
$ cat slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. #
##### # Global Confituation Parameters #####
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/yast.schema #CBK modified logging to lots for debug purposes #CBK Log levels are additive, and available levels are: #CBK 1 (0x1 trace) trace function calls #CBK 2 (0x2 packets) debug packet handling #CBK 4 (0x4 args) heavy trace debugging (function args) #CBK 8 (0x8 conns) connection management #CBK 16 (0x10 BER) print out packets sent and received #CBK 32 (0x20 filter) search filter processing #CBK 64 (0x40 config) configuration file processing #CBK 128 (0x80 ACL) access control list processing #CBK 256 (0x100 stats) stats log connections/operations/results #CBK 512 (0x200 stats2) stats log entries sent #CBK 1024 (0x400 shell) print communication with shell backends #CBK 2048 (0x800 parse) entry parsing #CBK 4096 (0x1000 cache) caching (unused) #CBK 8192 (0x2000 index) data indexing (unused) #CBK 16384 (0x4000 sync) LDAPSync replication #CBK 32768 (0x8000 none) 32767 means all #CBK 0x141 = 321 loglevel -1 # Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
##### # Backend Configuration Parameters #####
# Load dynamic backend modules: modulepath /usr/lib/openldap/modules # moduleload back_ldap.la # moduleload back_meta.la # moduleload back_monitor.la # moduleload back_perl.la
#CBK Comment out TLSCertificateFile and TLSCertificatekeyFile here. # Also, force encryption #CBK end #TLSCertificateFile /etc/ssl/servercerts/servercert.pem TLSCACertificatePath /etc/ssl/certs/ TLSCACertificateFile /etc/ssl/certs/ldapServer.pem #TLSCertificateKeyFile /etc/ssl/servercerts/serverkey.pem TLSCiphersuite HIGH security ssf=128
#CBK added for local use on SuSE 9.3 #TLSCACertificateFile /etc/openldap/cacert.pem #TLSCACertificateKeyFile /etc/openldap/ldapServer.key
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access to user password # Allow anonymous users to authenticate # Allow read access to everything else # Directives needed to implement policy: access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to attrs=userPassword,userPKCS12 by self write by * auth
access to attrs=shadowLastChange by self write by * read
access to * by * read
# if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! #CBK Added passwords stored here only for authentication #CBK Made them editable only by respective users #access to attrs=userPassword # by self write # by anonymous auth #CBK end
#CBK allow certain attributes to be edited by user #CBK allow same attributes to be only view by others #access to dn.regex="uid=(.*),ou=.*,dc=com" attrs=sn,givenName,homePhone,homePostalAddress,mobile # by self write # by users read #CBK end
#CBK Do not allow unauthenticated users to harvest email addresses. #access to dn.regex="uid=.*,dc=com" attrs=mail # by users read # by * none #CBK end
#CBK Allow read access to objects outside normal directory tree. #CBK root DSE is an important one here. #access to dn.regex=() # by * read #CBK end
#CBK allow authenticated users to read other attributes #CBK prohibit anonymous users from reading other attributes #access to * # by users read # by anonymous none
####################################################################### # bdb database definitions #######################################################################
##### # Database Configuration Parameters #####
#TLSCertificateFile /etc/openldap/servercert.pem #TLSCertificateKeyFile /etc/openldap/serverkey.pem database bdb # # CBK Modified suffix, rootdn, and rootpw for local environment # CBK Added Mode for local environment # suffix "dc=testsvr,dc=blv,dc=boeing,dc=com" rootdn "cn=Manager,dc=testsvr,dc=blv,dc=boeing,dc=com" rootpw "{SSHA}Wq/1kuD3yROp6CU9CCkSOBiJm2GWhnpW" Mode 0600 directory /var/lib/ldap checkpoint 1024 5 cachesize 10000 index objectClass,uidNumber,gidNumber eq index member,mail eq,pres index cn,displayname,uid,sn,givenname sub,eq,pres
*********************************** Here is /etc/openldap/ldap.conf
$ cat ldap.conf # # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable.
#CBK Uncommented and set BASE and URI for local environment BASE dc=blv,dc=boeing, dc=com URI ldaps://testsvr.blv.boeing.com
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_REQCERT allow #CBK Added for self-signed certificate HOST testsvr.blv.boeing.com
TLS_CACERT /etc/ssl/certs/ldapServer.pem
Here are the ldap log entries when loglevel = -1
Nov 21 23:08:54 testsvr slapd[12709]: daemon: activity on 1 descriptor Nov 21 23:08:54 testsvr slapd[12709]: daemon: activity on: Nov 21 23:08:54 testsvr slapd[12709]: Nov 21 23:08:54 testsvr slapd[12709]: >>> slap_listener(ldap:///) Nov 21 23:08:54 testsvr slapd[12709]: daemon: listen=8, new connection on 14 Nov 21 23:08:54 testsvr slapd[12709]: daemon: added 14r (active) listener=(nil) Nov 21 23:08:54 testsvr slapd[12709]: conn=11 fd=14 ACCEPT from IP=130.42.48.144:1180 (IP=0.0.0.0:389) Nov 21 23:08:54 testsvr slapd[12709]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 21 23:08:54 testsvr slapd[12709]: daemon: epoll: listen=8 active_threads=0 tvp=zero Nov 21 23:08:54 testsvr slapd[12709]: daemon: activity on 1 descriptor Nov 21 23:08:54 testsvr slapd[12709]: daemon: activity on: Nov 21 23:08:54 testsvr slapd[12709]: 14r Nov 21 23:08:54 testsvr slapd[12709]: Nov 21 23:08:54 testsvr slapd[12709]: daemon: read active on 14 Nov 21 23:08:54 testsvr slapd[12709]: connection_get(14) Nov 21 23:08:54 testsvr slapd[12709]: connection_get(14): got connid=11 Nov 21 23:08:54 testsvr slapd[12709]: connection_read(14): checking for input on id=11 Nov 21 23:08:54 testsvr slapd[12709]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 21 23:08:54 testsvr slapd[12709]: daemon: epoll: listen=8 active_threads=0 tvp=zero Nov 21 23:08:54 testsvr slapd[12709]: do_extended Nov 21 23:08:54 testsvr slapd[12709]: do_extended: oid=1.3.6.1.4.1.1466.20037 Nov 21 23:08:54 testsvr slapd[12709]: conn=11 op=0 STARTTLS Nov 21 23:08:54 testsvr slapd[12709]: send_ldap_extended: err=0 oid= len=0 Nov 21 23:08:54 testsvr slapd[12709]: send_ldap_response: msgid=1 tag=120 err=0 Nov 21 23:08:54 testsvr slapd[12709]: conn=11 op=0 RESULT oid= err=0 text= Nov 21 23:08:54 testsvr slapd[12709]: daemon: activity on 1 descriptor Nov 21 23:08:54 testsvr slapd[12709]: daemon: activity on: Nov 21 23:08:54 testsvr slapd[12709]: 14r Nov 21 23:08:54 testsvr slapd[12709]: Nov 21 23:08:54 testsvr slapd[12709]: daemon: read active on 14 Nov 21 23:08:54 testsvr slapd[12709]: connection_get(14) Nov 21 23:08:54 testsvr slapd[12709]: connection_get(14): got connid=11 Nov 21 23:08:54 testsvr slapd[12709]: connection_read(14): checking for input on id=11 Nov 21 23:08:54 testsvr slapd[12709]: connection_read(14): TLS accept failure error=-1 id=11, closing Nov 21 23:08:54 testsvr slapd[12709]: connection_closing: readying conn=11 sd=14 for close Nov 21 23:08:54 testsvr slapd[12709]: connection_close: conn=11 sd=-1 Nov 21 23:08:54 testsvr slapd[12709]: daemon: removing 14 Nov 21 23:08:54 testsvr slapd[12709]: conn=11 fd=14 closed (TLS negotiation failure) Nov 21 23:08:54 testsvr slapd[12709]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 21 23:08:54 testsvr slapd[12709]: daemon: epoll: listen=8 active_threads=0 tvp=zero Nov 21 23:08:54 testsvr slapd[12709]: daemon: activity on 1 descriptor Nov 21 23:08:54 testsvr slapd[12709]: daemon: activity on: Nov 21 23:08:54 testsvr slapd[12709]: Nov 21 23:08:54 testsvr slapd[12709]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 21 23:08:54 testsvr slapd[12709]: daemon: epoll: listen=8 active_threads=0 tvp=zero
---- Not all who wander are lost.
| ---- ___o | chuck.keagle@boeing.com Chuck Keagle | ------- \ <, | Work: (425) 865-1488 Enterprise Servers: HPC | ----- ( )/ ( ) | Cell: (425) 417-3434