Hello freinds, This is Sri.i have a encountered a problem while tring to work with ldapsearch on port 636 .. though slapd in my server system is listening to both 636 & 389 ports. my server is configured in LINUX machine while my client is SOLARIS machine. i have added these lines to slapd.conf :(path of my server and client certificates) and ldap.conf with( HOST rsasol1 ,PORT 636). (FYI::but ldapsearch is working fine with 389 port.) rsasol1 is hostname of my machine. it throws an error: *can`t contact ldapserver(-1)* * addiditional info:error:140943FC:SSL routines:SSL#_READ_BYTES:sslv3 laert bad record mac*
can any one of us help me in this issue.
thanks in advance
with regards, sri.
What version are you running? ITS#4583 often manifested itself with this message. Upgrade to the latest 2.3 OpenLDAP release (bumping up OpenSSL while you're at it might be a good idea too), and if you're still having this issue you can turn up slapd/ldapsearch debugging, post config files, etc.
On Mon, 16 Jul 2007, sridhar varadarajan wrote:
Hello freinds, This is Sri.i have a encountered a problem while tring to work with ldapsearch on port 636 .. though slapd in my server system is listening to both 636 & 389 ports. my server is configured in LINUX machine while my client is SOLARIS machine. i have added these lines to slapd.conf :(path of my server and client certificates) and ldap.conf with( HOST rsasol1 ,PORT 636). (FYI::but ldapsearch is working fine with 389 port.) rsasol1 is hostname of my machine. it throws an error: *can`t contact ldapserver(-1)*
addiditionalinfo:error:140943FC:SSL routines:SSL#_READ_BYTES:sslv3 laert bad record mac*
can any one of us help me in this issue.
thanks in advance
with regards, sri.
sridhar varadarajan writes:
i have added these lines to slapd.conf :(path of my server and client certificates) and ldap.conf with( HOST rsasol1 ,PORT 636).
That is wrong. Clients do not deduce the protocol from the port, they deduce the default port from the protocol. So your client tries to use the ldap protocol against port 636, which presumably listens for the ldaps protocol.
If you want to default to ldaps, remove HOST and PORT and instead use URI ldaps://<fully qualified host name>/ in ldap.conf.
Note that the hostname in the URL to must match a hostname in your server certificate (i.e. the 'cn' or a Subject Alt Name extension), otherwise it looks to the client like the connection has been hijacked (it got the certificate of another host than it tried to connect to).
openldap-software@openldap.org
-
Aaron Richton -
Hallvard B Furuseth -
sridhar varadarajan