For your Trial 1, it looks like you are trying to start a TLS connection on port 636. I am not sure how that works, as it may expect the old SSL (someone help me here)
For your Trial 2 is a SASL error I think. What happens if you add - x to your ldapsearch and make your connection simple auth versus SASL ?
Sellers
On Jan 16, 2008, at 9:06 AM, Digambar Sawant wrote:
Problem Definition:
I have following sets of files on a linux host where my server is running. Again, I am trying ldapsearch command on same linux machine.
Certificate files on Server machine: ls -l /etc/openldap/CERTS/ -rwxrwxrwx 1 root root 1265 Jan 16 18:04 cacert.pem -rwxrwxrwx 1 root root 3604 Jan 16 18:05 servercrt.pem
-rwxrwxrwx 1 root root 1664 Jan 16 18:05 serverkey.pem
cat ldap.conf: /etc/openldap/ldap.conf HOST 127.0.0.1 PORT 636 TLS_CACERTDIR /etc/openldap/CERTS/ TLS_CACERT /etc/openldap/CERTS/cacert.pem TLS_REQCERT demand BASE dc=example,dc=com
cat slapd.conf : /etc/openldap/slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/rfc822-MailMember.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/redhat/kerberosobject.schema
access to * by self write by users read by anonymous auth
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/openldap/CERTS/cacert.pem TLSCertificateFile /etc/openldap/CERTS/servercrt.pem TLSCertificateKeyFile /etc/openldap/CERTS/serverkey.pem
database ldbm suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" directory /var/lib/ldap index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial
Started ldap server with:
/usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h ldaps:/// &
netstat shows that server is listening on port 636
netstat -antp | grep slapd tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 14512/slapd
When I executed follwing command on same server machine (linux host): ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b "dc=my- domain,dc=com" -d 127
It gave error logs as below:
#ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b "dc=my- domain,dc=com" -d 127 ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: 192.168.6.146 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.6.146:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_open_defconn: successful ldap_send_server_request ber_flush: 31 bytes to sd 3 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 . 4.1.1466.20037 ldap_write: want=31, written=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 . 4.1.1466.20037 ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (infinite timeout), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections:
- host: 192.168.6.146 port: 636 (default) refcnt: 2 status: Connected last used: Wed Jan 16 22:11:12 2008
** Outstanding Requests:
- msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0
** Response Queue: Empty ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL do_ldap_select read1msg: msgid 1, all 1 ber_get_next ldap_read: want=1, got=0
ber_get_next failed. ldap_perror ldap_start_tls: Can't contact LDAP server
TRIAL 2 Start server with start_ssl
- /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 start_ssl &
Here netstat shows that server is listening on 389 and not 636
# netstat -antp | grep slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 14529/slapd
When executed following command on same linux host (where server is running)
- #ldapsearch -Z "CERTS/cacert.pem" -h 192.168.6.146 -p 389 -b
"dc=my-domain,dc=com" -d 5 It gave
ldap_msgfree ldap_interactive_sasl_bind_s: server supports: GSSAPI PLAIN LOGIN ldap_int_sasl_bind: GSSAPI PLAIN LOGIN ldap_perror ldap_sasl_interactive_bind_s: Local error [root@tb01-03-dp02 openldap]# ldaps
Thanks, Digambar On Jan 16, 2008 7:09 PM, Chris G. Sellers chris.sellers@nitle.org wrote: Run your openldap server with debugging turned on (-d option) and check the output. Read the man slapd.conf for the different values of the -d flag and then see if you see why your connection is failing. Post those results here if you don't see the obvious root cause.
Sellers
On Jan 16, 2008, at 1:37 AM, Digambar Sawant wrote:
Hi,
I want to establish secure ldap connection. I have tried following:
- ldap_init
- ldap_set_option( pLdapObj, LDAP_OPT_X_TLS_CACERTFILE, "/tmp/
certficate.cert" 3. iRetCode = ldap_start_tls_s(pLdapObj, NULL, NULL);
Here 3. ldap_start_tls_s failed with error: "Can't contact LDAP server".
What is wrong here? Are there any more steps to make it work? Please help me.
Thanks, Digambar
Chris G. Sellers | NITLE Technology 734.661.2318 | chris.sellers@nitle.org AIM: imthewherd | GTalk: cgseller@gmail.com
______________________________________________ Chris G. Sellers | NITLE Technology 734.661.2318 | chris.sellers@nitle.org AIM: imthewherd | GTalk: cgseller@gmail.com