Hello, Running openldap -2-3-32 with SLAPD on a linux server. Also running openldap-2-3.32 on a linux client.
slapd.conf includes:
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /usr/local/etc/openldap/cacert.pem TLSCertificateFile /usr/local/etc/openldap/servercert.pem TLSCertificateKeyFile /usr/local/etc/openldap/newkey.pem TLSVerifyClient never (or allow)
Issue1: Here is the debug output from the openldap code if the ldap.conf file has the following in it when I try authentication:
TLS_CACERT cacert.pem TLS_CACERTDIR /usr/local/etc/openldap/
Login: ldapuser2 Password: *********ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 140.179.180.135:389 ldap_new_socket: 6 ldap_prepare_socket: 6 ldap_connect_to_host: Trying 140.179.180.135:389 ldap_connect_timeout: fd: 6 tm: 5 async: 0 ldap_ndelay_on: 6 ldap_is_sock_ready: 6 ldap_ndelay_off: 6 ldap_open_defconn: successful ldap_send_server_request ldap_result ld 0x100141d0 msgid 1 ldap_chkResponseList ld 0x100141d0 msgid 1 all 1 ldap_chkResponseList returns ld 0x100141d0 NULL wait4msg ld 0x100141d0 msgid 1 (infinite timeout) wait4msg continue ld 0x100141d0 msgid 1 all 1 ** ld 0x100141d0 Connections: * host: 140.179.180.135 port: 389 (default) refcnt: 2 status: Connected last used: Thu Jul 20 09:26:37 2006
** ld 0x100141d0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x100141d0 Response Queue: Empty ldap_chkResponseList ld 0x100141d0 msgid 1 all 1 ldap_chkResponseList returns ld 0x100141d0 NULL ldap_int_select read1msg: ld 0x100141d0 msgid 1 all 1 read1msg: ld 0x100141d0 msgid 1 message type extended-result new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: ld 0x100141d0 0 new referrals read1msg: mark request completed, ld 0x100141d0 msgid 1 request done: ld 0x100141d0 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS: could not load verify locations (file:`cacert.pem',dir:`/usr/local/etc/openldap/'). TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:104 TLS: error:2006D080:BIO routines:BIO_new_file:no such file bss_file.c:107 TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib by_file.c:274 ldap_err2string
Now, that pem file "cacert.pem" is in /usr/local/etc/openldap.
Can anyone tell me why I get this error?
Also I thought that with "TLSVerifyClient never" that the server wouldn't even ask for the client's certificate or if "allow" it would ask but wouldn't care if it was not there or could not be verified. ************************************************************************ ************************************************************************ *****
Issue2: Here is the debug output from the openldap code if the ldap.conf file does not have the "TLS_CACERT cacert.pem" or "TLS_CACERTDIR /usr/local/etc/openldap/" in it when I try authentication:
Login: ldapuser2 Password: *********ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 140.179.169.185:389 ldap_new_socket: 6 ldap_prepare_socket: 6 ldap_connect_to_host: Trying 140.179.180.135:389 ldap_connect_timeout: fd: 6 tm: 5 async: 0 ldap_ndelay_on: 6 ldap_is_sock_ready: 6 ldap_ndelay_off: 6 ldap_open_defconn: successful ldap_send_server_request ldap_result ld 0x100141d0 msgid 1 ldap_chkResponseList ld 0x100141d0 msgid 1 all 1 ldap_chkResponseList returns ld 0x100141d0 NULL wait4msg ld 0x100141d0 msgid 1 (infinite timeout) wait4msg continue ld 0x100141d0 msgid 1 all 1 ** ld 0x100141d0 Connections: * host: 140.179.180.135 port: 389 (default) refcnt: 2 status: Connected last used: Thu Jul 20 10:05:12 2006
** ld 0x100141d0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x100141d0 Response Queue: Empty ldap_chkResponseList ld 0x100141d0 msgid 1 all 1 ldap_chkResponseList returns ld 0x100141d0 NULL ldap_int_select read1msg: ld 0x100141d0 msgid 1 all 1 read1msg: ld 0x100141d0 msgid 1 message type extended-result new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: ld 0x100141d0 0 new referrals read1msg: mark request completed, ld 0x100141d0 msgid 1 request done: ld 0x100141d0 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /C=US/ST=Massachusetts/L=Littleton/O=MRV Inc/OU=Engineering/CN=DerJer/emailAddress=pino@mrv.com, issuer: /C=US/ST=Massachusetts/L=Littleton/O=MRV Inc/OU=Engineering/CN=DerJer/emailAddress=pino@mrv.com TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_err2string
I guess my question here is similar to the above. If TLSVerifyClient is set to never or allow, I get the above error.
Can anyone tell me why I get this error?
Any help would be most appreciated. Thanks, Phil Bellino ============================ Phil Bellino MRV Communications, Inc. Boston Product Division 295 Foster St. Littleton,MA 01460 Tel: (978)952-4807 Email: pbellino@mrv.com ============================