Hello all,
I hope someone could help me -- I'm trying for almost one whole day already and couldn't get LDAP over SSL to work, without success.
The objective is to setup a development box for testing purposes, so, the simpler the better, however, it must be as simple as needed only.
I've followed this tutorial: http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-usin.... I'm on Mac OSX Snow Leopard, though.
slapd version: @(#) $OpenLDAP: slapd 2.4.11 (Feb 11 2010 02:23:14) //Installed from MacPorts
I have generated a self-signed certificate using this command:
sudo openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
I've set the Common Name to "localhost".
The configuration files look like this (non-relevanted parts snipped):
slapd.conf:
TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCACertificateFile /Users/myuser/Sandbox/server.pem TLSCertificateFile /Users/myuser/Sandbox/server.pem TLSCertificateKeyFile /Users/myuser/Sandbox/server.pem
TLSVerifyUser never
ldap.conf
BASE dc=mycompany,dc=com URI ldaps://localhost/ TLS_REQCERT never
I'm starting slapd with the following command:
sudo /usr/libexec/slapd -f /opt/local/etc/openldap/slapd.conf -d1 -h "ldaps:///"
And testing the connection with the following:
ldapsearch -H ldaps://localhost -d255
When running ldapsearch, I get the following as output:
ldap_create
ldap_url_parse_ext(ldaps://localhost) ldap_pvt_sasl_getmech ldap_search put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ldap_build_search_req ATTRS: supportedSASLMechanisms ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying ::1 636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization tls_write: want=124, written=124 0000: 80 7a 01 03 01 00 51 00 00 00 20 00 00 39 00 00 .z....Q... ..9.. 0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 8..5............ 0020: 00 00 33 00 00 32 00 00 2f 00 00 07 05 00 80 03 ..3..2../....... 0030: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 ................ 0040: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 ......@......... 0050: 00 00 06 04 00 80 00 00 03 02 00 80 0c e4 9d 98 ................ 0060: c1 ad 36 d0 88 fb 6b 92 32 a0 ce 22 63 82 99 3b ..6...k.2.."c..; 0070: 3b 3d 03 03 38 05 d0 a1 30 2d 9f d2 ;=..8...0-.. TLS trace: SSL_connect:SSLv2/v3 write client hello A tls_read: want=7, got=0
TLS: can't connect. ldap_perror ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
As you can see, it fails with the "TLS: can't connect" error message. Not that obvious. I then switch to the terminal that has slapd running on the fg, and I see the following:
(snip) connection_get(13): got connid=0 connection_read(13): checking for input on id=0 *connection_read(13): TLS accept failure error=-1 id=0, closing* connection_closing: readying conn=0 sd=13 for close connection_close: conn=0 sd=13
What I don't understand is why it is failing if I've set both sides to ignore certificates. What am I doing wrong?
Marcelo.