Hello, I'm still having issues with tls, getting a openldap 2.4 client and server to talk tls to each other. If anyone has a sanitized working configuration i'd like to see it. I'm starting to wonder if i have to apply any security settings? I'm getting the below with tls now. Thanks. Dave.
#/usr/local/libexec/slapd -d 5 -h ldap://0.0.0.0 @(#) $OpenLDAP: slapd 2.4.7 (Jan 20 2008 00:56:58) $ root@ldap1:/var/ports/basejail/usr/ports/net/openldap24-server/work/openldap-2.4.7/servers/slapdldap_pvt_gethostbyname_a: host=ldap, r=0daemon_init: ldap://0.0.0.0daemon_init: listen on ldap://0.0.0.0daemon_init: 1 listeners to open...ldap_url_parse_ext(ldap://0.0.0.0)daemon: listener initialized ldap://0.0.0.0daemon_init: 1 listeners openedldap_createslapd init: initiated server.bdb_back_initialize: initialize BDB backendbdb_back_initialize: Berkeley DB 4.6.21: (September 27, 2007)bdb_db_init: Initializing BDB database>>> dnPrettyNormal: <dc=davemehler,dc=com>=> ldap_bv2dn(dc=davemehler,dc=com,0)<= ldap_bv2dn(dc=davemehler,dc=com)=0=> ldap_dn2bv(272)<= ldap_dn2bv(dc=davemehler,dc=com)=0=> ldap_dn2bv(272)<= ldap_dn2bv(dc=davemehler,dc=com)=0<<< dnPrettyNormal: <dc=davemehler,dc=com>, <dc=davemehler,dc=com>>>> dnPrettyNormal: <cn=Manager,dc=davemehler,dc=com>=> ldap_bv2dn(cn=Manager,dc=davemehler,dc=com,0)<= ldap_bv2dn(cn=Manager,dc=davemehler,dc=com)=0=> ldap_dn2bv(272)<= ldap_dn2bv(cn=Manager,dc=davemehler,dc=com)=0=> ldap_dn2bv(272)<= ldap_dn2bv(cn=manager,dc=davemehler,dc=com)=0<<< dnPrettyNormal: <cn=Manager,dc=davemehler,dc=com>,<cn=manager,dc=davemehler,dc=com>>>> dnNormalize: <cn=Subschema>=> ldap_bv2dn(cn=Subschema,0)<= ldap_bv2dn(cn=Subschema)=0=> ldap_dn2bv(272)<= ldap_dn2bv(cn=subschema)=0<<< dnNormalize: <cn=subschema>matching_rule_use_init 1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: (1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES (supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ipProtocolNumber $ oncRpcNumber ) ) 1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: (1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES (supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServic ePort $ipProtocolNumber $ oncRpcNumber ) ) 1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: (1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer $ c$ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber$ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry $ mailbox $ quota $maildrop $ mailsource $ virtualdomain $ virtualdomainuser $ defaultdelivery$ disableimap $ disablepop3 $ disablewebmail $ sharedgroup $ disableshared $mailhost ) ) 1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: (1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $ c$ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber$ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry $ mailbox $ quota $maildrop $ mailsource $ virtualdomain $ virtualdomainuser $ defaultdelivery$ disableimap $ disablepop3 $ disablewebmail $ sharedgroup $ disableshared $mailhost ) ) 2.5.13.35 (certificateMatch): 2.5.13.34 (certificateExactMatch):matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES (userCertificate $ cACertificate ) ) 2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: (2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES (supportedControl $ supportedExtension $ supportedFeatures $ ldapSyntaxes $supportedApplicationContext ) ) 2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $ entryTtl$ uidNumber $ gidNumber $ mailPreferenceOption $ shadowLastChange $shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) ) 2.5.13.27 (generalizedTimeMa tch): matchingRuleUse: ( 2.5.13.27 NAME'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp ) ) 2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24 NAME'protocolInformationMatch' APPLIES protocolInformation ) 2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME'uniqueMemberMatch' APPLIES uniqueMember ) 2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22 NAME'presentationAddressMatch' APPLIES presentationAddress ) 2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $ mobile $pager ) ) 2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME'octetStringMatch' APPLIES ( userPassword $ clearPassword ) ) 2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME'bitStringMatch' APPLIES x500UniqueIdentifier ) 2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $gidNumber $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax$ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort$ ipProtocolNumber $ oncRpcNumber ) ) 2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME'booleanMatch' APPLIES hasSubordinates ) 2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $homePostalAddress ) ) 2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) ) 2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7 NAME'caseExactSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $dnQualifier ) ) 2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME'caseExactOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $dnQualifier ) ) 2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $vendor Version $ ref $ name $ cn $ uid $ labeledURI $ description $knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $title $ businessCategory $ postalCode $ postOfficeBox $physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $documentIdentifier $ documentTitle $ documentVersion $ documentLocation $personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName$ documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense $departmentNumber $ displayName $ employeeNumber $ employeeType $preferredLanguage ) ) 2.5.13.4 (caseIgnoreSubstringsMatch): matchingRuleUse: ( 2.5.13.4 NAME'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $dnQualifier ) ) 2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 NAME'caseIgnoreOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $dnQualifier ) ) 2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $title $ businessCategory $ postalCode $ postOfficeBox $physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $documentIdentifier $ documentTitle $ documentVersion $ documentLocation $personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName$ documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense $departmentNumber $ displayName $ employeeNumber $ employeeType $preferredLanguage ) ) 1.2.36.79672281.1.13.3 (rdnMatch): 2.5.13.1(distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $s ubschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $dynamicSubtrees $ distinguishedName $ seeAlso $ member $ owner $roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $dITRedirect ) ) 2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $supportedFeatures $ supportedApplicationContext ) )slapd startup: initiated.backend_startup_one: starting "cn=config"config_back_db_openconfig_build_entry: "cn=config"config_build_entry: "cn=module{0}"config_build_entry: "cn=schema"config_build_entry: "cn={0}core"config_build_entry: "cn={1}cosine"config_build_entry: "cn={2}nis"config_build_entry: "cn={3}inetorgperson"config_build_entry: "cn={4}authldap"config_build_entry: "olcDatabase={-1}frontend"config_build_entry: "olcDatabase={0}config"config_build_entry: "olcDatabase={1}bdb"backend_startup_one: starting "dc=davemehler,dc=com"bdb_db_open: "dc=davemehler,dc=com"bdb_db_open: warning - no DB_CONFIG file found in directory/var/db/openldap-data: (2).Expect poor performance for suffix "dc=davemehler,dc=com".bdb_db_open: database "dc=davemehler,dc=com":dbenv_open(/var/db/openldap-data).slapd startingslap_listener_activate(6):>>> slap_listener(ldap://0.0.0.0)connection_get(10)connection_get(10): got connid=0connection_read(10): checking for input on id=0ber_get_nextber_get_next: tag 0x30 len 29 contents:ber_get_nextconn=0 op=0 do_extendedber_scanf fmt ({m) ber:do_extended: oid=1.3.6.1.4.1.1466.20037send_ldap_extended: err=0 oid= len=0send_ldap_response: msgid=1 tag=120 err=0ber_flush2: 14 bytes to sd 10connection_get(10)connection_get(10): got connid=0connection_read(10): checking for input on id=0TLS trace: SSL_accept:before/accept initializationTLS trace: SSL_accept:SSLv3 read client hello ATLS trace: SSL_accept:SSLv3 write server hello ATLS trace: SSL_accept:SSLv3 write certificate ATLS trace: SSL_accept:SSLv3 write certificate request ATLS trace: SSL_accept:SSLv3 flush dataTLS trace: SSL_accept:error in SSLv3 re ad client certificate ATLS trace: SSL_accept:error in SSLv3 read client certificate Aconnection_get(10)connection_get(10): got connid=0connection_read(10): checking for input on id=0TLS trace: SSL3 alert write:fatal:handshake failureTLS trace: SSL_accept:error in SSLv3 read client certificate BTLS: can't accept.TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did notreturn a certificate s3_srvr.c:2514connection_read(10): TLS accept failure error=-1 id=0, closingconnection_closing: readying conn=0 sd=10 for closeconnection_close: conn=0 sd=10^Cdaemon: shutdown requested and initiated.slapd shutdown: waiting for 0 threads to terminateslapd shutdown: initiated====> bdb_cache_release_allslapd destroy: freeing system resources.slapd stopped.