Hello, I am running slapd(openldap-2.3.32) on a linux host. I am also running openldap-2-32-3 on a linux client. If I use the "allow_bind_v2" switch in the slapd.conf file, I can do anonymous simple binds from the client to the server over TCP with no problems. I can also do simple login/password authentication with no problems.
I now an trying to use v3 secure connections. When I attempt to authenticate, I get the following errors from the slapd logs (in bold):
TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5 error=Resource temporarily unavailable TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: epoll: listen=9 active_threads=0 tvp=NULL daemon: epoll: listen=10 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 14r daemon: read active on 14 connection_get(14) connection_get(14): got connid=0 connection_read(14): checking for input on id=0 tls_read: want=5, got=5 0000: 15 03 01 00 02 ..... tls_read: want=2, got=2 0000: 02 30 .0 TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1057 connection_read(14): TLS accept failure error=-1 id=0, closing connection_closing: readying conn=0 sd=14 for close connection_close: conn=0 sd=14 daemon: removing 14 conn=0 fd=14 closed (TLS negotiation failure) daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: epoll: listen=9 active_threads=0 tvp=NULL daemon: epoll: listen=10 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: epoll: listen=9 active_threads=0 tvp=NULL daemon: epoll: listen=10 active_threads=0 tvp=NULL
My slapd.conf file is:
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem TLSCertificateFile /usr/local/etc/openldap/servercrt.pem TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem TLSVerifyClient never
####################################################################### # BDB database definitions #######################################################################
database bdb suffix "dc=mrv,dc=com" rootdn "cn=Manager,dc=mrv,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq #index ou,cn,mail,surname,givenname eq,pres,sub #index uidNumber,gidNumber,loginShell eq,pres #index uid,memberUid eq,pres,sub #index nisMapName,nisMapEntry eq,pres,sub
It loks to me as is slapd is trying to read the client certificate even though my slapd.conf file entry "TLSVerifyClient never" is set. I am new to this all, so I do not know if I am interpreting this correctly or not. Any help would be most appreciated.
Thanks, Phil Bellino ============================ Phil Bellino MRV Communications, Inc. Boston Product Division 295 Foster St. Littleton,MA 01460 Tel: (978)952-4807 Email: pbellino@mrv.com ============================
Philip Bellino wrote:
Hello, I am running slapd(openldap-2.3.32) on a linux host. I am also running openldap-2-32-3 on a linux client. If I use the "allow_bind_v2" switch in the slapd.conf file, I can do anonymous simple binds from the client to the server over TCP with no problems. I can also do simple login/password authentication with no problems.
Anonymous Simple Binds are allowed regardless of the "allow_bind_v2" option. As its name implies, that option only controls whether to accept Binds that specify LDAPv2. That option defaults to off and generally should stay off. LDAPv3 has been around for 10 years already and LDAPv2 was officially retired 4 years ago; there's no good reason for anybody to still be using it now.
I now an trying to use v3 secure connections. When I attempt to authenticate, I get the following errors from the slapd logs (in bold):
TLS trace: SSL_accept:SSLv3 flush data *tls_read: want=5 error=Resource temporarily unavailable* *TLS trace: SSL_accept:error in SSLv3 read client certificate A* *TLS trace: SSL_accept:error in SSLv3 read client certificate A*
This error was ignored by slapd, otherwise the log would have shown the connection being closed here. This behavior is normal, since you didn't require client certificate verification.
daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: epoll: listen=9 active_threads=0 tvp=NULL daemon: epoll: listen=10 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 14r daemon: read active on 14 connection_get(14) connection_get(14): got connid=0 connection_read(14): checking for input on id=0 tls_read: want=5, got=5 0000: 15 03 01 00 02 ..... tls_read: want=2, got=2 0000: 02 30 .0 *TLS trace: SSL3 alert read:fatal:unknown CA* *TLS trace: SSL_accept:failed in SSLv3 read client certificate A* *TLS: can't accept.* *TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1057* *connection_read(14): TLS accept failure error=-1 id=0, closing* connection_closing: readying conn=0 sd=14 for close connection_close: conn=0 sd=14
This shows that the client sent an "unknown CA" message to the server and that the client considered it a fatal error, and closed the connection.
It loks to me as is slapd is trying to read the client certificate even though my slapd.conf file entry "*TLSVerifyClient never*" is set. I am new to this all, so I do not know if I am interpreting this correctly or not.
That is not the important part of the trace.
Any help would be most appreciated.
Read the Admin Guide section on Using TLS. http://www.openldap.org/doc/admin23/tls.html
Thanks, Phil Bellino ============================ Phil Bellino MRV Communications, Inc. Boston Product Division 295 Foster St. Littleton,MA 01460 Tel: (978)952-4807 Email: pbellino@mrv.com ============================
openldap-software@openldap.org