Hello all,

I hope someone could help me -- I'm trying for almost one whole day already and couldn't get LDAP over SSL to work, without success.

The objective is to setup a development box for testing purposes, so, the simpler the better, however, it must be as simple as needed only.

I've followed this tutorial: http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-using-self-signed-certificate. I'm on Mac OSX Snow Leopard, though.

slapd version: @(#) $OpenLDAP: slapd 2.4.11 (Feb 11 2010 02:23:14) //Installed from MacPorts

I have generated a self-signed certificate using this command:

sudo openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650

I've set the Common Name to "localhost".

The configuration files look like this (non-relevanted parts snipped):

slapd.conf:

TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCACertificateFile /Users/myuser/Sandbox/server.pem
TLSCertificateFile /Users/myuser/Sandbox/server.pem
TLSCertificateKeyFile /Users/myuser/Sandbox/server.pem

TLSVerifyUser never

ldap.conf

BASE dc=mycompany,dc=com
URI  ldaps://localhost/
TLS_REQCERT never

I'm starting slapd with the following command:

sudo /usr/libexec/slapd -f /opt/local/etc/openldap/slapd.conf -d1 -h "ldaps:///"

And testing the connection with the following:

ldapsearch  -H ldaps://localhost -d255

When running ldapsearch, I get the following as output:

ldap_create
ldap_url_parse_ext(ldaps://localhost)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS:
    supportedSASLMechanisms
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
tls_write: want=124, written=124
  0000:  80 7a 01 03 01 00 51 00  00 00 20 00 00 39 00 00   .z....Q... ..9.. 
  0010:  38 00 00 35 00 00 16 00  00 13 00 00 0a 07 00 c0   8..5............ 
  0020:  00 00 33 00 00 32 00 00  2f 00 00 07 05 00 80 03   ..3..2../....... 
  0030:  00 80 00 00 05 00 00 04  01 00 80 00 00 15 00 00   ................ 
  0040:  12 00 00 09 06 00 40 00  00 14 00 00 11 00 00 08   ......@......... 
  0050:  00 00 06 04 00 80 00 00  03 02 00 80 0c e4 9d 98   ................ 
  0060:  c1 ad 36 d0 88 fb 6b 92  32 a0 ce 22 63 82 99 3b   ..6...k.2.."c..; 
  0070:  3b 3d 03 03 38 05 d0 a1  30 2d 9f d2               ;=..8...0-..     
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=0

TLS: can't connect.
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

As you can see, it fails with the "TLS: can't connect" error message. Not that obvious. I then switch to the terminal that has slapd running on the fg, and I see the following:

(snip)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
connection_read(13): TLS accept failure error=-1 id=0, closing
connection_closing: readying conn=0 sd=13 for close
connection_close: conn=0 sd=13

What I don't understand is why it is failing if I've set both sides to ignore certificates. What am I doing wrong?

Marcelo.