Can't use SSL session - openldap-software

5 Oct 2006


      Using ldapsearch on a VMS system to attempt to do a directory lookup using 
SSL to a non-OpenLDAP directory on another system.  I verified the root CA 
certificate is correct using:
$ openssl s_client -connect adtest:636 "-CAfile" test_root_ca.pem
My LDAP.CONF file contains:
TLS_CHECKPEER   no
BIND_POLICY     soft
TLS_REQCERT     never
TLS_CACERT      RAPTOR$DKA0:[OREILLY.KEYS]TEST_ROOT_CA.PEM
What happens is below:
$ ldapsearch   "-ZZ" -p 636 -d 255 -s base -x -w xxxxxxxxx -v "-D" 
"cn=Administrator,CN=Users,dc=altdomain2000,dc=psccos,dc=com" 
-b"cn=Users,dc=altdomain2000,dc
=psccos,dc=com" -h adtest.altdomain2000.psccos.com 
"(&(objectclass=user)(sAMAccountName=oreilly))"
ldap_initialize( ldap://adtest.altdomain2000.psccos.com:636 )
ldap_create
ldap_url_parse_ext(ldap://adtest.altdomain2000.psccos.com:636)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP adtest.altdomain2000.psccos.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.0.27:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x0043ba98 ptr=0x0043ba98 end=0x0043bab7 len=31
   0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31   0....w...1.3.6.1
   0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37      .4.1.1466.20037
ber_scanf fmt ({) ber:
ber_dump: buf=0x0043ba98 ptr=0x0043ba9d end=0x0043bab7 len=26
   0000:  77 18 80 16 31 2e 33 2e  36 2e 31 2e 34 2e 31 2e   w...1.3.6.1.4.1.
   0010:  31 34 36 36 2e 32 30 30  33 37                     1466.20037
ber_flush: 31 bytes to sd 3
   0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31   0....w...1.3.6.1
   0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37      .4.1.1466.20037
ldap_write: want=31, written=31
   0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31   0....w...1.3.6.1
   0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37      .4.1.1466.20037
ldap_result ld 43B028 msgid 1
ldap_chkResponseList ld 43B028 msgid 1 all 1
ldap_chkResponseList returns ld 43B028 NULL
wait4msg ld 43B028 msgid 1 (infinite timeout)
wait4msg continue ld 43B028 msgid 1 all 1
** ld 43B028 Connections:
* host: adtest.altdomain2000.psccos.com  port: 636  (default)
   refcnt: 2  status: Connected
   last used: Thu Oct  5 16:32:20 2006
** ld 43B028 Outstanding Requests:
  * msgid 1,  origid 1, status InProgress
    outstanding referrals 0, parent count 0
** ld 43B028 Response Queue:
    Empty
ldap_chkResponseList ld 43B028 msgid 1 all 1
ldap_chkResponseList returns ld 43B028 NULL
ldap_int_select
read1msg: ld 43B028 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=0
ber_get_next failed.
ldap_perror
ldap_start_tls: Can't contact LDAP server (-1)
Any ideas?  I've been pulling my hair out over this for a couple weeks 
now.  If I do this same search using port 389 and no SSL it works correctly.
------
+-------------------------------+----------------------------------------+
| Dan O'Reilly                  |  "There are 10 types of people in this |
| Principal Engineer            |   world: those who understand binary   |
| Process Software              |   and those who don't."                |
| http://www.process.com        |                                        |
+-------------------------------+----------------------------------------+