Dear Buchan,
Thanks for helping me.
Here is what I tried and it worked. During certificate creation, I used ip address instead of hostname. That is why output of following command shows Ip address i.e. 192.168.4.146 $ openssl x509 -noout -subject -in /etc/openldap/CERTS/servercrt.pem
Everything worked properly, when I tried following command: $ ldapsearch -x -H ldaps://192.168.4.146:636 -b "dc=my-domain, dc=com"
However, this is one option. I dont know why it is failing for other option i.e. 1. ldap_init 2. set ldap options 3. start_tls All this is done in C program. The error says Can't contact to Ldap server.
Thanks, Digambar
On 1/17/08, Buchan Milne bgmilne@staff.telkomsa.net wrote:
On Wednesday 16 January 2008 16:06:38 Digambar Sawant wrote:
Problem Definition:
I have following sets of files on a linux host where my server is
running.
Again, I am trying ldapsearch command on same linux machine.
*Certificate files on Server machine:* ls -l /etc/openldap/CERTS/ -rwxrwxrwx 1 root root 1265 Jan 16 18:04 cacert.pem -rwxrwxrwx 1 root root 3604 Jan 16 18:05 servercrt.pem -rwxrwxrwx 1 root root 1664 Jan 16 18:05 serverkey.pem
*cat ldap.conf: */etc/openldap/ldap.conf** HOST 127.0.0.1
You can save typing by setting this, or URI, correctly.
PORT 636
This isn't going to do much for you ^^^. You may rather want to set URI. Please see the man page ('man ldap.conf').
TLS_CACERTDIR /etc/openldap/CERTS/ TLS_CACERT /etc/openldap/CERTS/cacert.pem
I would recommend you use only one of the above two options, to reduce confusion.
TLS_REQCERT demand BASE dc=example,dc=com
[...]
TLSCACertificateFile /etc/openldap/CERTS/cacert.pem TLSCertificateFile /etc/openldap/CERTS/servercrt.pem TLSCertificateKeyFile /etc/openldap/CERTS/serverkey.pem
[...]
database ldbm
Bad idea ^^^.
suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" directory /var/lib/ldap index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial
[...]
*Started ldap server with:*
- /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h ldaps:/// &
- netstat shows that server is listening on port 636
netstat -antp | grep slapd tcp 0 0 0.0.0.0:636 0.0.0.0:*
LISTEN
14512/slapd
When I executed follwing command on same server machine (linux host):
ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b "dc=my-domain,dc=com" -d 127
1)Under your current configuration, this requires that the server has a certificate with the subject's CN=192.168.6.146, or that this IP is in the subjAltName extension on the certificate. If, instead, there is a hostname as the CN, then you should use the hostname wherever you want to specify a connection, and ensure your name resolution takes care of connecting to the correct IP address.
Please show the output from:
$ openssl x509 -noout -subject -in /etc/openldap/CERTS/servercrt.pem
It should match whatever you use after -h or -H ldaps://
2)You shouldn't use -Z (or -ZZ) on a port already running SSL/TLS. Instead use an ldaps URI (-H ldaps://name.on.cert).
3)"CERTS/cacert.pem" must be removed, you can't specify and certificate filenames via commandline options.
It gave error logs as below:
#ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b "dc=my-domain,dc=com" -d 127* *ldap_start_tls: Can't contact LDAP server*
This is the correct behaviour ...
*TRIAL 2*
*Start server with start_ssl*
- /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 *start_ssl* &
?????
There should be no *start_ssl* in your commandline. If slapd has been configured with SSL certificates correctly, starting it up without any specific options will enable START_TLS.
Here netstat shows that server is listening on 389 and not 636 # netstat -antp | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:*
LISTEN
14529/slapd
You can have both in fact ... but listening on 389 does not confirm the START_TLS is configured correctly.
When executed following command on same linux host (where server is running)
- #ldapsearch -Z "CERTS/cacert.pem" -h 192.168.6.146 -p 389 -b
"dc=my-domain,dc=com" -d 5
1)Same issue as above with certificate's subjectDN and hostname etc. 2)Same issue regarding "CERTS/cacert.pem".
*ldap_interactive_sasl_bind_s: server supports: GSSAPI PLAIN LOGIN* *ldap_int_sasl_bind: GSSAPI PLAIN LOGIN* *ldap_perror* *ldap_sasl_interactive_bind_s: Local error* *[root@tb01-03-dp02 openldap]# ldaps*
You forgot -x.
Regards, Buchan